Re: A question on setting setuid bit
LEE, Yui-wah (Clement) writes (Re: A question on setting setuid bit): This is an experimental package that we built and evaluate internally (up to this moment). The program that needs setuid is a cgi-bin program that is invoked by apache2, which runs as a regular user www-data. The cgi-bin program however needs to interact with iptables. I see. I know setuid programs are risky but I haven't got the time to address the security risk yet (one thing at a time ... :-) Can I plug my preprepared answer to this question ? `userv' can let you do this kind of thing very straightforwardly with a minimum of risk of writing all of the kinds of bugs that set-id involves. Ian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
Le vendredi 07 juillet 2006 à 23:54 +0200, Javier Fernández-Sanguino Peña a écrit : I can do the security risk analysis for you: granting remote root through a web server application is a recipe for disaster, those tactics where (or should have been) abandoned ages ago. Unfortunately webmin is still in use in many setups... -- .''`. Josselin Mouette/\./\ : :' : [EMAIL PROTECTED] `. `'[EMAIL PROTECTED] `- Debian GNU/Linux -- The power of freedom signature.asc Description: Ceci est une partie de message numériquement signée
Re: A question on setting setuid bit
LEE, Yui-wah (Clement) writes (Re: A question on setting setuid bit): This is an experimental package that we built and evaluate internally (up to this moment). The program that needs setuid is a cgi-bin program that is invoked by apache2, which runs as a regular user www-data. The cgi-bin program however needs to interact with iptables. ! This is a very risky way to go about things. You desperately need to have a competent security expert go over your design. Also, I'd like to plug my program `userv' which can help solve some of these problems - but you have to get the design right to get the best out of it. Ian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
LEE, Yui-wah (Clement) writes (A question on setting setuid bit): I am building a package in which one of the binary has to have the setuid and setgid bits set. I wonder which one of the following two is the more appropriate method to use? Forgive my scepticism, but which package, and why ? set-id bits should not be set lightly and they should only be used after careful consideration by experts. Ian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
Hi, This is an experimental package that we built and evaluate internally (up to this moment). The program that needs setuid is a cgi-bin program that is invoked by apache2, which runs as a regular user www-data. The cgi-bin program however needs to interact with iptables. I know setuid programs are risky but I haven't got the time to address the security risk yet (one thing at a time ... :-) Thanks for the alert. Clement On Fri, 7 Jul 2006, Ian Jackson wrote: LEE, Yui-wah (Clement) writes (A question on setting setuid bit): I am building a package in which one of the binary has to have the setuid and setgid bits set. I wonder which one of the following two is the more appropriate method to use? Forgive my scepticism, but which package, and why ? set-id bits should not be set lightly and they should only be used after careful consideration by experts. Ian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
On Fri, Jul 07, 2006 at 04:42:47PM -0400, LEE, Yui-wah (Clement) wrote: Hi, This is an experimental package that we built and evaluate internally (up to this moment). The program that needs setuid is a cgi-bin program that is invoked by apache2, which runs as a regular user www-data. The cgi-bin program however needs to interact with iptables. You are setting up an iptables interface through a setuid *root* cgi-bin? If so: ! I know setuid programs are risky but I haven't got the time to address the security risk yet (one thing at a time ... :-) I can do the security risk analysis for you: granting remote root through a web server application is a recipe for disaster, those tactics where (or should have been) abandoned ages ago. Either you make really damn sure that the cgi-bin is not exploitable through fascist input data validation and a tight SELinux policy or you remove the setuid bit and try to make the functionality you need through other mechanisms. For example: a cgi-bin that locally communicates with a separate daemon and asks it to pretty please setup an iptable rule, if you do this the separate daemon can be very strict in which it permits and can do additional data validation, additionaly, a failure in the cgi-bin (i.e. a buffer overflow or similar programming mistake) does not equal to a remote root compromise (at most a remote www-data although that's bad enough already). Just my 2c. Javier signature.asc Description: Digital signature
Re: A question on setting setuid bit
Hi, Thanks for articulating the risk. We will address it later. The machines involved are experimental prototypes not production machines. Clement On Fri, 7 Jul 2006, Javier [iso-8859-1] Fern嫕dez-Sanguino Pe鎙 wrote: On Fri, Jul 07, 2006 at 04:42:47PM -0400, LEE, Yui-wah (Clement) wrote: Hi, This is an experimental package that we built and evaluate internally (up to this moment). The program that needs setuid is a cgi-bin program that is invoked by apache2, which runs as a regular user www-data. The cgi-bin program however needs to interact with iptables. You are setting up an iptables interface through a setuid *root* cgi-bin? If so: ! I know setuid programs are risky but I haven't got the time to address the security risk yet (one thing at a time ... :-) I can do the security risk analysis for you: granting remote root through a web server application is a recipe for disaster, those tactics where (or should have been) abandoned ages ago. Either you make really damn sure that the cgi-bin is not exploitable through fascist input data validation and a tight SELinux policy or you remove the setuid bit and try to make the functionality you need through other mechanisms. For example: a cgi-bin that locally communicates with a separate daemon and asks it to pretty please setup an iptable rule, if you do this the separate daemon can be very strict in which it permits and can do additional data validation, additionaly, a failure in the cgi-bin (i.e. a buffer overflow or similar programming mistake) does not equal to a remote root compromise (at most a remote www-data although that's bad enough already). Just my 2c. Javier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
Le jeudi 06 juillet 2006 à 07:36 +1000, Matthew Palmer a écrit : [about suid bits] My personal preference would be for the maintainer to just take a stand, set it or not, and let people who actually know what's going on to use dpkg-statoverride to fix the problem to their satisfaction. (This actually also applies to man-db and cdrecord, as it happens, but there's a lot of inertia to overcome there). In that case, does it make sense to prompt the admin once from the postinst script with a message such as: Warning: such file from such package installed with suid bit. If this is unacceptable at your site, use dpkg-statoverride to clear this bit. ? Thibaut. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
On Thu, Jul 06, 2006 at 11:13:30AM +0200, Thibaut Paumard wrote: In that case, does it make sense to prompt the admin once from the postinst script with a message such as: Warning: such file from such package installed with suid bit. If this is unacceptable at your site, use dpkg-statoverride to clear this bit. ? no, i'd say put that in README.Debian, explaining why it may be needed and why you've chosen to include it or not include it. if the local admin really cares about setuid bits, they probably have something watching for them anyway. sean -- signature.asc Description: Digital signature
Re: A question on setting setuid bit
Thibaut Paumard [EMAIL PROTECTED] wrote: Le jeudi 06 juillet 2006 à 07:36 +1000, Matthew Palmer a écrit : [about suid bits] My personal preference would be for the maintainer to just take a stand, set it or not, and let people who actually know what's going on to use dpkg-statoverride to fix the problem to their satisfaction. (This actually also applies to man-db and cdrecord, as it happens, but there's a lot of inertia to overcome there). In that case, does it make sense to prompt the admin once from the postinst script with a message such as: Warning: such file from such package installed with suid bit. If this is unacceptable at your site, use dpkg-statoverride to clear this bit. ? I don't think so. If it is important enough to justify such a warning, the default should rather be not to set the setuid bit. On the other hand, if it isn't so important, a note in README.Debian (and the relevant manpages) is sufficient. Regards, Frank -- Frank Küster Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich Debian Developer (teTeX)
Re: A question on setting setuid bit
Hi, Thanks for all the responses. I finally settled with the suggestion of Matt (install with right permission, and then use dh_fixperms -X to exclude these files's permissions from being reset to Debian's default values). Thanks! Clement On Wed, 5 Jul 2006, Matthew Palmer wrote: The correct answer, in this case, is to ensure that the file in the package has the appropriate permissions, and then use the -X option to dh_fixperms to ensure that fixperms doesn't turn the permissions back to the default. - Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
On Thu, Jul 06, 2006 at 11:13:30AM +0200, Thibaut Paumard wrote: Le jeudi 06 juillet 2006 à 07:36 +1000, Matthew Palmer a écrit : [about suid bits] My personal preference would be for the maintainer to just take a stand, set it or not, and let people who actually know what's going on to use dpkg-statoverride to fix the problem to their satisfaction. (This actually also applies to man-db and cdrecord, as it happens, but there's a lot of inertia to overcome there). In that case, does it make sense to prompt the admin once from the postinst script with a message such as: Warning: such file from such package installed with suid bit. If this is unacceptable at your site, use dpkg-statoverride to clear this bit. ? Dear ghods no. For all the reasons previously mentioned, and more. - Matt
Re: A question on setting setuid bit
Bartosz Fenski aka fEnIo skrev: 3. Use dpkg-statoverride in your postinst script. Don't do this, just ship the file in the package with the correct permissions. dpkg-statoverride is (mostly) an admin tool which lets you change default permissions. See http://lists.debian.org/debian-devel/2001/05/msg00149.html and the thread surrounding it for more information. - tfheen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
On Wed, Jul 05, 2006 at 07:34:02AM +0200, Bartosz Fenski aka fEnIo wrote: On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote: I am building a package in which one of the binary has to have the setuid and setgid bits set. I wonder which one of the following two is the more appropriate method to use? 1. Use install -m 6755 file dir in the install target of the Makefile. However, I already tried this method and it did not work. The install program that I am using is part of the GNU coreutils. I could not find any specific confirmation that the setuid and setgid bits (i.e. the first digit 6 in the numeric mode 6755) can be used with the install program (the document says only that the -m switch works as in chmod). 2. Add a chmod ug+s command in the postinst script. 3. Use dpkg-statoverride in your postinst script. dpkg-statoverride is a tool for the system administrator to specify a different mode or ownership for a file to that which is provided in the package. It is not meant to be used by the package. The correct answer, in this case, is to ensure that the file in the package has the appropriate permissions, and then use the -X option to dh_fixperms to ensure that fixperms doesn't turn the permissions back to the default. - Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote: dpkg-statoverride is a tool for the system administrator to specify a different mode or ownership for a file to that which is provided in the package. It is not meant to be used by the package. there are cases where it's appropriate for a package to use it. for example, if the package creates the user that is supposed to own a file, and later changes the ownership to that user in the maintscripts. in this case it would be appropriate to use this tool to check if the local admin has overrided the permissions, and if so, keep the permissions respected. but otherwise: The correct answer, in this case, is to ensure that the file in the package has the appropriate permissions, and then use the -X option to dh_fixperms to ensure that fixperms doesn't turn the permissions back to the default. this would be the reasonable approach if the user already exists. sean -- signature.asc Description: Digital signature
Re: A question on setting setuid bit
On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote: I am building a package in which one of the binary has to have the setuid and setgid bits set. I wonder which one of the following two is the more appropriate method to use? It looks like you've got the answer to this already, but it is worth considering whether the bit needs to be set by default. Perhaps a debconf question like man-db, or cdrecord, could allow the user to disable/enable this. I'd want to be extremely sure that the package had no buggy code before installing it setuid/setgid. If you'd like somebody to check over the code for you, or as a second pair of eyes, then please consider asking the auditing people: http://shellcode.org/mailman/listinfo/debian-audit Steve -- signature.asc Description: Digital signature
Re: A question on setting setuid bit
* sean finney | On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote: | dpkg-statoverride is a tool for the system administrator to specify a | different mode or ownership for a file to that which is provided in the | package. It is not meant to be used by the package. | | there are cases where it's appropriate for a package to use it. for | example, if the package creates the user that is supposed to own a file, | and later changes the ownership to that user in the maintscripts. If so, create the user in preinst and it'll work just fine. -- Tollef Fog Heen,''`. UNIX is user friendly, it's just picky about who its friends are : :' : `. `' `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
On Wed, Jul 05, 2006 at 03:25:37PM +0200, Tollef Fog Heen wrote: | On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote: | dpkg-statoverride is a tool for the system administrator to specify a | different mode or ownership for a file to that which is provided in the | package. It is not meant to be used by the package. | | there are cases where it's appropriate for a package to use it. for | example, if the package creates the user that is supposed to own a file, | and later changes the ownership to that user in the maintscripts. If so, create the user in preinst and it'll work just fine. the next sentence, which you conveniently cut out, explains exactly why this won't work just fine :) sean signature.asc Description: Digital signature
Re: A question on setting setuid bit
On Wed, Jul 05, 2006 at 04:02:43AM -0400, sean finney wrote: On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote: dpkg-statoverride is a tool for the system administrator to specify a different mode or ownership for a file to that which is provided in the package. It is not meant to be used by the package. there are cases where it's appropriate for a package to use it. for example, if the package creates the user that is supposed to own a file, and later changes the ownership to that user in the maintscripts. in this case it would be appropriate to use this tool to check if the local admin has overrided the permissions, and if so, keep the permissions respected. There are two cases where shipping the binary with the correct ownership or permission is not possible: * the user meant to own the files is dynamically created, or * the permissions for a file are a debconf option In such cases it is necessary in the postinst to do: if ! dpkg-statoverride --list $file /dev/null 21 then chown $user:$group $file # and/or chmod $mode $file fi Which will only set the permissions if the local administrator has not supplied other values. Just looking at various postinst scripts now, I note that some packages use dpkg-statoverride to apply the changes rather than chown/chmod. Not quite sure of the rationale behind this. In my opinion, setting permissions via dpkg-statoverride should be limited to the local admin only. It also means that you need to remove the override in the postrm and complicates the case where you wish to change the default values used. In both cases you need to compare the values returned by --list and only remove/change if those values match what was previously set by the package. Even with this test, there is *no way to be sure* that the override was originally set by the package. Could be that the administrator set the override with those values to ensure they didn't change. Summary for maintainer scripts: * Don't use chown/chmod in without first testing dpkg-statoverride --list. * Don't use dpkg-statoverride to apply owner/group/mode changes. --bod -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
On Wed, Jul 05, 2006 at 09:36:37AM +0100, Steve Kemp wrote: On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote: I am building a package in which one of the binary has to have the setuid and setgid bits set. I wonder which one of the following two is the more appropriate method to use? It looks like you've got the answer to this already, but it is worth considering whether the bit needs to be set by default. Perhaps a debconf question like man-db, or cdrecord, could allow the user to disable/enable this. Ugh, please don't. Seriously, as a regular user of those packages, I have no idea whether it's *really* a good idea for those to be setuid or not -- I vaguely know the risk/benefit from general knowledge, but assessing the risk intelligently? No way. I'd bet that 99% of installations have whatever the maintainer recommended setting (either recommended by default or perhaps the wording of the question). My personal preference would be for the maintainer to just take a stand, set it or not, and let people who actually know what's going on to use dpkg-statoverride to fix the problem to their satisfaction. (This actually also applies to man-db and cdrecord, as it happens, but there's a lot of inertia to overcome there). I'd want to be extremely sure that the package had no buggy code before installing it setuid/setgid. If you'd like somebody to check over the code for you, or as a second pair of eyes, then please consider asking the auditing people: http://shellcode.org/mailman/listinfo/debian-audit This is good advice. - Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question on setting setuid bit
On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote: I am building a package in which one of the binary has to have the setuid and setgid bits set. I wonder which one of the following two is the more appropriate method to use? 1. Use install -m 6755 file dir in the install target of the Makefile. However, I already tried this method and it did not work. The install program that I am using is part of the GNU coreutils. I could not find any specific confirmation that the setuid and setgid bits (i.e. the first digit 6 in the numeric mode 6755) can be used with the install program (the document says only that the -m switch works as in chmod). 2. Add a chmod ug+s command in the postinst script. 3. Use dpkg-statoverride in your postinst script. regards fEnIo -- ,''`. Bartosz Fenski | mailto:[EMAIL PROTECTED] | pgp:0x13fefc40 | irc:fEnIo : :' : 32-050 Skawina - Glowackiego 3/15 - malopolskie v. - Poland `. `' phone:+48602383548 | proud Debian maintainer and user `- http://skawina.eu.org | jid:[EMAIL PROTECTED] | rlu:172001 signature.asc Description: Digital signature