suid ineffective

suid ineffective

Post by Matthew Elve » Wed, 18 Apr 2001 07:34:54



Hi.  I have been trying to set up a cgi that will run as a privileged user,
and am having trouble.

I've set up a cgi script that is suid the privileged user (not root!), and
the script runs, but it runs as nobody, even though it's suid'd.  In an
attempt to resolve the problem, I wrote a little C program that runs the
/bin/sh script, suid'd the executable, and yet the executable and the script
still run as the user 'nobody'.  I need the cgi to start a complex daemon
running as the privileged user -- nobody doesn't have the privileges to run
it.  What am I doing wrong?
I've poked around in the faq and manual, to no avail.

(Why I'm doing this:
-  The script does one fixed action, irrespective of how it's called, and is
accessible only to authorized users, so I think it's pretty safe.
-  SetUserID seems like massive overkill - besides, SetUserID _is_ a suid
root program, - and I can't seem to get suid programs to work...
I copied kill to /usr/local/apache/cgi-bin/killl, and suid'd it, and it can
be run from the script, _and_ runs as the privileged user.)

Setup:
Apache is running as nobody (as it should).
Linux, RH 6.2, Apache 1.3.14
chmod a+s /usr/local/apache/cgi-bin/myscriptOrExe
chown privuser:privuser /usr/local/apache/cgi-bin/myscriptOrExe

 
 
 

suid ineffective

Post by David Efflan » Wed, 18 Apr 2001 11:03:04



> Hi.  I have been trying to set up a cgi that will run as a privileged user,
> and am having trouble.

> I've set up a cgi script that is suid the privileged user (not root!), and
> the script runs, but it runs as nobody, even though it's suid'd.  In an
> attempt to resolve the problem, I wrote a little C program that runs the
> /bin/sh script, suid'd the executable, and yet the executable and the script
> still run as the user 'nobody'.  I need the cgi to start a complex daemon
> running as the privileged user -- nobody doesn't have the privileges to run
> it.  What am I doing wrong?
> I've poked around in the faq and manual, to no avail.

This is not really an apache issue (unless attempting to use suexec).  
Most systems ignore suid on scripts for security reasons.  You might
either need an suid C wrapper, or if it is a Perl script, you could use
suidperl in the first line instead of perl.  But you would need to untaint
all input and possibly explicitly set any necessary variables in the
environment like $ENV{PATH}.  See:  perldoc perlsec

Note that any time you edit or modify the suidperl script, you will need
to reset the suid bit.

Quote:> (Why I'm doing this:
> -  The script does one fixed action, irrespective of how it's called, and is
> accessible only to authorized users, so I think it's pretty safe.
> -  SetUserID seems like massive overkill - besides, SetUserID _is_ a suid
> root program, - and I can't seem to get suid programs to work...
> I copied kill to /usr/local/apache/cgi-bin/killl, and suid'd it, and it can
> be run from the script, _and_ runs as the privileged user.)

If SetUserID is referring to suexec, that only works in /~user/ URL's or
below the main DocumentRoot.  And the directory containing the script must
NOT have write permission for anyone else (in other words owned by
specified user and not more than 755 for dir or script).

Suid works for kill, because it is a binary, not a script.

Quote:> Setup:
> Apache is running as nobody (as it should).
> Linux, RH 6.2, Apache 1.3.14
> chmod a+s /usr/local/apache/cgi-bin/myscriptOrExe
> chown privuser:privuser /usr/local/apache/cgi-bin/myscriptOrExe

I don't know what chmod a+s does, but suid is chmod o+s (or 4755 max).
Who owns cgi-bin and what are its permissions?  Regardless, suexec would
likely fail there, but proper suid should work (it worked for me even with
suid root suidperl script).

--
David Efflandt  (Reply-To is valid)  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

 
 
 

suid ineffective

Post by nob.. » Sun, 22 Apr 2001 02:14:50



> Linux, RH 6.2, Apache 1.3.14
> chmod a+s /usr/local/apache/cgi-bin/myscriptOrExe
> chown privuser:privuser /usr/local/apache/cgi-bin/myscriptOrExe

chown resets the suid bits

--
     \\   ( )
  .  _\\__[oo

 .  l___\\
  # ll  l\\
 ###LL  LL\\

 
 
 

suid ineffective

Post by William Ya » Thu, 03 May 2001 21:28:59




> Hi.  I have been trying to set up a cgi that will run as a privileged user,
> and am having trouble.

> I've set up a cgi script that is suid the privileged user (not root!), and
> the script runs, but it runs as nobody, even though it's suid'd.  In an
> attempt to resolve the problem, I wrote a little C program that runs the
> /bin/sh script, suid'd the executable, and yet the executable and the script
> still run as the user 'nobody'.  I need the cgi to start a complex daemon
> running as the privileged user -- nobody doesn't have the privileges to run
> it.  What am I doing wrong?
> I've poked around in the faq and manual, to no avail.

The script, on a well-behaved UNIX, probably won't run with extra
privileges, even with the setuid bit (mode 4555 or something like it)
set.  This does vary from UNIX to UNIX, and is probably a tunable
parameter (I never tried to turn it on, figuring that when I need to
change user IDs, I'll be sure to use compiled C!).

As I understand setuid operations, in order to become anyone OTHER
than the invoking user, the program making that user ID change must at
least temporarily have root privileges -- in a sane UNIX environment,
the only user that can change the UID of a process *is* uid 0 (root).

Thus, the C program needs to be chown'd to root, chmod'd something
like 4555, and that C program needs to properly use the setuid() and
possibly seteuid() system calls to run the process as the correct
user.

You also need to check the mount options on the filesystem where your
programs are, to be sure that the setuid bit can actually be
recognized.  It's not uncommon to mount a filesystem with the "nosuid"
option, which prevents the use of setuid programs on that filesystem.

        -Bill

William D Yang