Re: [Bastille-linux-discuss] usernetctl SUID toggle on Linux
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
From: Jay B. <ja...@ba...> - 2004-09-21 20:13:07
|
John Dalbec wrote: > Jay Beale wrote: > >> Thanks John!!! >> >> Good find. >> >> OK, the fix for this one seemed like it would be simple until I looked >> at the code. Then it got complicated. Then it got simple again. >> >> The problem is that our chmod is a wrapped version of Perl's chmod, >> which doesn't do symbolic things like "o-x" (remove execute capability >> from non owners/group-owners. So to remove execute, we were setting >> the entire permission on the file, in this case to 04750. >> >> So I made our chmod more granular, by giving it the capability to >> support symbolic arguments while leaving it capable of handling >> numeric arguments. And then I altered the item to use it, like so: >> >> $ diff FilePermissions.pm{,.orig} >> 239,241c239 >> < # &B_chmod_if_exists(04750,"/usr/sbin/usernetctl"); >> < &B_chmod_if_exists("o-rwx","/usr/sbin/usernetctl"); >> < &B_chmod_if_exists("g-w","/usr/sbin/usernetctl"); > > > So now you could also do: > > # &B_chmod_if_exists(02750,"/usr/sbin/lpc"); > &B_chmod_if_exists("o-rwx","/usr/sbin/lpc"); > &B_chmod_if_exists("g-w","/usr/sbin/lpc"); > > and > > # &B_chmod_if_exists(04755,"/usr/bin/lpr"); > &B_chmod_if_exists("o-w","/usr/bin/lpr"); > &B_chmod_if_exists("g-w","/usr/bin/lpr"); > Of course -- I just committed it. > ? The status quo is annoying because neither of these programs is > setuid by default in LPRng. (Can your chmod handle "go-w"?) It can handle go-w. My chmod _can_ handle everything you'd do normally except +/- X, which is a little-used feature that sets something executable only if it is either a directory or already executable for another class. That feature, which I think of as "chmod executable when appropriate" is not something I knew existed until I read the chmod man page. I'll add it soon. > PS: You may also want to look at dump, netreport, restore, gpasswd, and > userhelper to see whether they could benefit from a symbolic chmod. Definitely -- I was actually planning on auditing that entire item to change all of those items to symbolic chmod's. This helps with running safely on new platforms, where they'll be removing SUID or changing the groups or such on these things. - Jay > >> --- >> > &B_chmod_if_exists(04750,"/usr/sbin/usernetctl"); >> >> I've made this change on our trunk, rather than on the stable branch, >> so I'll have to backport it later to get a soon-release. For a >> workaround, simple comment out the following line and bastille -b: >> >> &B_chmod_if_exists(04750,"/usr/sbin/usernetctl"); >> >> Non-developers should stop reading now. >> >> <time passes> >> >> Ahh, the crowd has thinned a bit. >> >> The following has been added to B_chmod's description: >> >> < # &B_chmod ($mode_changes,$file) also respects the symbolic methods of >> < # changing file permissions, which are often what question authors are >> < # really seeking. >> < # >> < # &B_chmod ("u-s" , "/bin/mount") >> < # or >> < # &B_chmod ("go-rwx", "/bin/mount") >> < # >> < # >> >> Because of the way the routine works, this was easy to bolt-on without >> kludgery. We were already stating files before chmod'ing them, so now >> we just calculate the new numeric permission based on OR-ing or >> XOR-ing the current file mode with the appropriate octal number, based >> on the options to chmod. >> >> The algorithm is described here: >> >> < # We calculate the new permissions by applying a bitmask to >> < # the current permissions, by OR-ing (for +) or XOR-ing >> (for -). >> < # >> < # We create this mask by first calculating a perm_mask that >> forms >> < # the right side of this, then multiplying it by 8 raised >> to the >> < # appropriate power to affect the correct digit of the >> octal mask. >> < # This means that we raise 8 to the power of 0,1,2, or 3, >> based on >> < # the noun of "other","group","user", or "suid/sgid/sticky". >> < # >> < # Actually, we handle multiple nouns by summing powers of 8. >> < # >> < # The only tough part is that we have to handle >> suid/sgid/sticky >> < # differently. >> < # >> < >> < # We're going to calculate a mask to OR or XOR with the >> current >> < # file mode. This mask is $mask. We calculate this by >> calculating >> < # a sum of powers of 8, corresponding to user/group/other, >> < # multiplied with a $premask. The $premask is simply the >> < # corresponding bitwise expression of the rwx bits. >> < # >> < # To handle SUID, SGID or sticky in the simplest way >> possible, we >> < # simply add their values to the $mask first. >> >> >> >> >> >> - Jay >> >> >> >> John Dalbec wrote: >> >>> If I configure Bastille to remove the setuid bit from usernetctl and >>> run the backend: >>> >>> If usernetctl is setuid then the setuid bit is removed as requested. >>> >>> If usernetctl is not setuid then the question is ignored because of >>> the setuid test. FilePermissions.pm then turns on the setuid bit >>> (mode 4750) and doesn't turn it back off because the question was >>> ignored. >>> >>> How should this be fixed? >>> Thanks, >>> John >>> >>> >>> ------------------------------------------------------- >>> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 >>> Project Admins to receive an Apple iPod Mini FREE for your judgement on >>> who ports your project to Linux PPC the best. Sponsored by IBM. >>> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php >>> _______________________________________________ >>> bastille-linux-discuss mailing list >>> bas...@li... >>> https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss >>> >>> >> >> > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 > Project Admins to receive an Apple iPod Mini FREE for your judgement on > who ports your project to Linux PPC the best. Sponsored by IBM. > Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php > _______________________________________________ > bastille-linux-discuss mailing list > bas...@li... > https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss > > |