Does Linux not allow use of chmod u+s

Does Linux not allow use of chmod u+s

Post by Reaso » Tue, 17 Dec 2002 14:51:10



Hi,

Porting software from SCO OSRV to Linux ...

We have written and tested root wrapper programs. They work on SCO OSRV and
OU8. They do not work (yet) on Linux 7.2.
First we were using system().
Then we tried execv().

Is there a special Linux setting that we need to check?

Help please,
Stephen

 
 
 

Does Linux not allow use of chmod u+s

Post by Frank Bal » Tue, 17 Dec 2002 14:58:26



} Hi,
}
} Porting software from SCO OSRV to Linux ...
}
} We have written and tested root wrapper programs. They work on SCO OSRV and
} OU8. They do not work (yet) on Linux 7.2.
} First we were using system().
} Then we tried execv().
}
} Is there a special Linux setting that we need to check?

chmod u+s works in linux, but not for scripts, only for compiled
binaries.  To execute scripts with root privaliges as a user you need to
use sudo or super.



 
 
 

Does Linux not allow use of chmod u+s

Post by Reaso » Tue, 17 Dec 2002 15:15:03


Hello Frank,


> chmod u+s works in linux, but not for scripts, only for compiled
> binaries.  To execute scripts with root privaliges as a user you need to
> use sudo or super.

I am using that on a compiled program (see below).
The program then tries to call a script.

If Linux does not allow that, how do suid and super allow it?

Thanks,
Stephen

#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main( int argc, char *argv[] )
{
  char cmand[4000];
  int error;
  strcpy( cmand, "/usr/CFSRUN/SCOWRAP/" );
  strcat( cmand, argv[1] );
  printf( "argv[1]=%s ;; cmand=%s ;;\n", argv[1], cmand );
  error = execv( cmand, ++argv );
  printf( "WRAP failure, error=%i \n", error );
  return error;

Quote:}

 
 
 

Does Linux not allow use of chmod u+s

Post by Kasper Dupon » Tue, 17 Dec 2002 15:46:23



> Hello Frank,


> > chmod u+s works in linux, but not for scripts, only for compiled
> > binaries.  To execute scripts with root privaliges as a user you need to
> > use sudo or super.

> I am using that on a compiled program (see below).
> The program then tries to call a script.

I'm not sure what will happen on execve if real uid is different
from effective uid. But you can surely call the script with the
permissions of the owner of the wrapper executable, you just have
to change the real uid to be equal to the effective uid. If you
need to know the old real uid for some reason store it away before
you change it.

But take care, you already have at least three security problems
in your program.

Quote:

> If Linux does not allow that, how do suid and super allow it?

> Thanks,
> Stephen

> #include <stdio.h>
> #include <string.h>
> #include <unistd.h>
> int main( int argc, char *argv[] )
> {
>   char cmand[4000];
>   int error;
>   strcpy( cmand, "/usr/CFSRUN/SCOWRAP/" );
>   strcat( cmand, argv[1] );

    ^^^^^^^^^^^^^^^^^^^^^^^^^
    Here is a buffer overflow.

Quote:>   printf( "argv[1]=%s ;; cmand=%s ;;\n", argv[1], cmand );
>   error = execv( cmand, ++argv );

            ^^^^^  ^^^^^
                   Here you use the user suplied input without
                   validation. Imagine that the user could
                   include /../ in argv[1]
            Here you use the user suplied environment. You
            must never rely on the user suplied environment.
            Instead you should build your own, which can
            include a few known secure variables from the user
            environment, if that is desired. It probably should
            also contain the real uid value from before you
            changed it.

Quote:>   printf( "WRAP failure, error=%i \n", error );
>   return error;
> }

--
Kasper Dupont -- der bruger for meget tid p? usenet.

Hvem er fjenden i Aalborg?
 
 
 

Does Linux not allow use of chmod u+s

Post by Bill Unr » Tue, 17 Dec 2002 15:48:35


]Hi,

]Porting software from SCO OSRV to Linux ...

a script cannot run suid root. This is a security thing.

]We have written and tested root wrapper programs. They work on SCO OSRV and
]OU8. They do not work (yet) on Linux 7.2.
]First we were using system().
]Then we tried execv().

Are you trying to hide from us what you are doing? Guessing games rarely
lead to useful exchanges.
Tell us what you are doing.

For a sample wraper program see
www.theory.physics.ubc.ca/ppp-kill-wrapper.html

]Is there a special Linux setting that we need to check?

]Help please,
]Stephen

 
 
 

Does Linux not allow use of chmod u+s

Post by Bill Unr » Tue, 17 Dec 2002 15:56:10


]Hello Frank,

]> chmod u+s works in linux, but not for scripts, only for compiled
]> binaries.  To execute scripts with root privaliges as a user you need to
]> use sudo or super.

]I am using that on a compiled program (see below).
]The program then tries to call a script.

]If Linux does not allow that, how do suid and super allow it?

]Thanks,
]Stephen

]#include <stdio.h>
]#include <string.h>
]#include <unistd.h>
]int main( int argc, char *argv[] )
]{
]  char cmand[4000];
]  int error;
]  strcpy( cmand, "/usr/CFSRUN/SCOWRAP/" );
]  strcat( cmand, argv[1] );
]  printf( "argv[1]=%s ;; cmand=%s ;;\n", argv[1], cmand );
]  error = execv( cmand, ++argv );
]  printf( "WRAP failure, error=%i \n", error );
]  return error;
]}

Bad wrapper. It leaves the environment intact and that can cause a
security hole. Also, What is /usr/CFSRUN/SCOWRAP/ ? Do youactually have
that directory on your linux system? And is the arg[1] actually in that
directory?
You should NEVER EVER EVER use strcpy in an suid program. Never. That is
how buffer overflow attacks are born. So what if you reserver 4000
entries, the attacker just puts in a argv[1] that is 5000 characters
long.
Use strncpy  and strncat instead.

 
 
 

Does Linux not allow use of chmod u+s

Post by Bill Unr » Tue, 17 Dec 2002 16:01:03


]Hello Frank,

]> chmod u+s works in linux, but not for scripts, only for compiled
]> binaries.  To execute scripts with root privaliges as a user you need to
]> use sudo or super.

]I am using that on a compiled program (see below).
]The program then tries to call a script.

]If Linux does not allow that, how do suid and super allow it?

]Thanks,
]Stephen

]#include <stdio.h>
]#include <string.h>
]#include <unistd.h>
]int main( int argc, char *argv[] )
]{
]  char cmand[4000];
]  int error;
]  strcpy( cmand, "/usr/CFSRUN/SCOWRAP/" );
]  strcat( cmand, argv[1] );
]  printf( "argv[1]=%s ;; cmand=%s ;;\n", argv[1], cmand );
]  error = execv( cmand, ++argv );
]  printf( "WRAP failure, error=%i \n", error );
]  return error;
]}

Oh, and you forgot to change uid to root befor you ran execv.
suid does NOT make the uid of
a program root, It simply allows you to change to root if you want to.

You must do it yourself, and you should do so only for the minimum
needed to run the program you want, and change back immediately there is
an error or you have finished.

See www.theory.physics.ubc.ca/ppp-kill-wrapper.html
for an example.

 
 
 

Does Linux not allow use of chmod u+s

Post by Kasper Dupon » Tue, 17 Dec 2002 19:16:13



> You should NEVER EVER EVER use strcpy in an suid program. Never. That is
> how buffer overflow attacks are born. So what if you reserver 4000
> entries, the attacker just puts in a argv[1] that is 5000 characters
> long.
> Use strncpy  and strncat instead.

It is safe to use strcpy if you first ensure the string is not too long.
Another safe solution would be: if (strlen(argv[1])>3000) return 1;

--
Kasper Dupont -- der bruger for meget tid p? usenet.

Hvem er fjenden i Aalborg?

 
 
 

Does Linux not allow use of chmod u+s

Post by Kasper Dupon » Tue, 17 Dec 2002 19:22:56



> Hello Frank,


> > chmod u+s works in linux, but not for scripts, only for compiled
> > binaries.  To execute scripts with root privaliges as a user you need to
> > use sudo or super.

> I am using that on a compiled program (see below).
> The program then tries to call a script.

> If Linux does not allow that, how do suid and super allow it?

> Thanks,
> Stephen

Another few problems came to my mind, one of which might
influence on the security:

Quote:> #include <stdio.h>
> #include <string.h>
> #include <unistd.h>
> int main( int argc, char *argv[] )
> {
>   char cmand[4000];
>   int error;
>   strcpy( cmand, "/usr/CFSRUN/SCOWRAP/" );
>   strcat( cmand, argv[1] );

                   ^^^^^^^
                   You have not even verified the existence
                   of argv[1] or even argv[0] for the matter.
                   Check argc before you do anything else.

Quote:>   printf( "argv[1]=%s ;; cmand=%s ;;\n", argv[1], cmand );
>   error = execv( cmand, ++argv );

                          ^^
                   Why ++ here? Why not just argv+1 which
                   would be more clear.

Quote:>   printf( "WRAP failure, error=%i \n", error );
>   return error;

    Is return error really correct here?
    Wouldn't return 1 or return EXIT_FAILURE
    be better?

Quote:> }

--
Kasper Dupont -- der bruger for meget tid p? usenet.

Hvem er fjenden i Aalborg?
 
 
 

Does Linux not allow use of chmod u+s

Post by D.C. van Moolenbroe » Wed, 18 Dec 2002 02:19:10



> >   error = execv( cmand, ++argv );
(...)
> >   printf( "WRAP failure, error=%i \n", error );
> >   return error;

>     Is return error really correct here?
>     Wouldn't return 1 or return EXIT_FAILURE
>     be better?

Another detail: if execv() returns, its return value will always be -1 (from
man execv), and "errno" will contain the real error value. Using perror()
instead of the printf() call would take care of that. Additionally, I don't
think errno is theoretically limited to a maximum value of 255 anywhere, so
using that as the program's return value instead would be a bad idea as
well...yet another reason to use EXIT_* defines indeed.

Regards,

David

--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-

 
 
 

Does Linux not allow use of chmod u+s

Post by Reaso » Wed, 18 Dec 2002 09:55:58


Quote:> Another detail: if execv() returns, its return value will always be -1
(from
> man execv), and "errno" will contain the real error value. Using perror()
> instead of the printf() call would take care of that.

I have implemented your advice.

Thanks,
Stephen

 
 
 

Does Linux not allow use of chmod u+s

Post by Reaso » Wed, 18 Dec 2002 09:57:15


Hello Bill,

Quote:> Oh, and you forgot to change uid to root befor you ran execv.
> suid does NOT make the uid of
> a program root, It simply allows you to change to root if you want to.

> You must do it yourself, and you should do so only for the minimum
> needed to run the program you want, and change back immediately there is
> an error or you have finished.

> See www.theory.physics.ubc.ca/ppp-kill-wrapper.html
> for an example.

This advice has allowed me to solve my problem.

Thanks,
Stephen

 
 
 

Does Linux not allow use of chmod u+s

Post by Reaso » Wed, 18 Dec 2002 09:58:02


Quote:> > You should NEVER EVER EVER use strcpy in an suid program. Never. That is
> > how buffer overflow attacks are born. So what if you reserver 4000
> > entries, the attacker just puts in a argv[1] that is 5000 characters
> > long.
> > Use strncpy  and strncat instead.

> It is safe to use strcpy if you first ensure the string is not too long.
> Another safe solution would be: if (strlen(argv[1])>3000) return 1;

I have adjusted the program per that advice.

Thanks,
Stephen

 
 
 

Does Linux not allow use of chmod u+s

Post by Reaso » Wed, 18 Dec 2002 10:00:11


Hi Kasper,

Your advice has been helpful.

Thanks,
Stephen

 
 
 

Does Linux not allow use of chmod u+s

Post by D. Stuss » Thu, 19 Dec 2002 08:18:33



>Hi,

>Porting software from SCO OSRV to Linux ...

>We have written and tested root wrapper programs. They work on SCO OSRV and
>OU8. They do not work (yet) on Linux 7.2.

What is "Linux 7.2"?  Perhaps you mean a version of someone's packaging of
linux, such as that of Red Hat?

Quote:>First we were using system().
>Then we tried execv().

>Is there a special Linux setting that we need to check?

No.  "u+s" is supported on those filesystems that have it.