Re: [PATCH] more SAK stuff

Rob Landley (landley@webofficenow.com)
Tue, 3 Jul 2001 18:00:50 -0400


On Monday 02 July 2001 15:10, Hua Zhong wrote:
> -> From Alan Cox <alan@lxorguk.ukuu.org.uk> :
> > > (a) It does less, namely will not kill processes with uid 0.
> > > Ted, any objections?
> >
> > That breaks the security guarantee. Suppose I use a setuid app to confuse
> > you into doing something ?
>
> a setuid app only changes euid, doesn't it?

Yup. And you'd be amazed how many fun little user mode things were either
never tested with the suid bit or obstinately refuse to run for no good
reason. (Okay, I made something like a sudo script. It's in a directory
that non-root users can't access and I'm being as careful as I know how to
be, but I've got a cgi that needs root access to query/set system and network
configuration.)

Off the top of my head, fun things you can't do suid root:

The samba adduser command. (But I CAN edit the smb.passwd file directly,
which got me around this.)

su without password (understandable, implementation detail. It's always
suid, being run by somebody other than root is how it knows when it NEEDS to
ask for a password. But when I want to DROP root privelidges... Wound up
making "suid-to" to do it.)

ps (What the...? Worked in Red Hat 7, but not in suse 7.1. Huh? "suid-to
apache ps ax" works fine, though...)

dhcpcd (I patched it and yelled at the maintainer of this months ago, should
be fixed now. But a clear case of checking uid when he meant euid, which is
outright PERVASIVE...).

I keep bumping into more of these all the time. Often it's fun little
warnings "you shouldn't have the suid bit on this executable", which is
frustrating 'cause I haven't GOT the suid bit on that executable, it
inherited it from its parent process, which DOES explicitly set the $PATH and
blank most of the environment variables and other fun stuff...)

By the way, anybody who knows why samba goes postal if you change the
hostname of the box while it's running, please explain it to me. It's happy
once HUPed, then again it execs itself. (Not nmbd. smbd. Why does it CARE?
And sshd has the most amazing timeouts if it can't do a reverse dns lookup
on the incoming IP, even if I tell it not to log!)

Apache has a similar problem, and HUP-ing it interrupts in-progress
transfers, which could be very large files, 'cause it execs itself. I made
that happy by telling it its host name was a dot notation IP address,
although that does mean that logging into a password protected web page using
the host name forces you to log in twice (again when it switches you to
http://1.2.3.4/blah...)

Fun, isn't it? :)

Alan's right. We DO need a rant tag.

Rob
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/