Re: how to identify the superuser in C
Oohara Yuuma <[EMAIL PROTECTED]> writes: >> fakeroot (or any other dynamic linker tricks) will not work on set[ug]id >> programs. libc can be trusted here. > > Is this Linux specific? (There can be a Hurd port in the sarge > release). Of course the same protection is present in GNU/Hurd. Btw: this problem (`how to find out your id[s]') is even trickier in GNU/Hurd. Let's have a look at how fakeroot is implemented in GNU/Hurd. Instead of using a libfakeroot trick, we simply use our own features for that, which can do much better. Authentication in the Hurd is based on the `auth' server. Now, in the Hurd it is possible to use other auth servers than the default system server. Glibc functions working with IDs in fact communicate with the auth server. If you use your own auth server, then getuid() returns whatever that auth server tells you (of course, faking your auth server does not raise your permissions in the system at all, since that auth server is private to you). Now, back to fakeroot. Fakeroot in GNU/Hurd consists of: * a command line program (fakeauth), which creates a new auth server and runs a program with the auth server changed accordingly. This makes getuid() and friends behave like if the program would run as root; * a filesystem server, which is used for faking filesystem accesses - this makes chmod/chown work accordingly. moritz -- [EMAIL PROTECTED] - http://duesseldorf.ccc.de/~moritz/ GPG fingerprint = 3A14 3923 15BE FD57 FC06 B501 0841 2D7B 6F98 4199
Re: how to identify the superuser in C
Oohara Yuuma <[EMAIL PROTECTED]> writes: >> fakeroot (or any other dynamic linker tricks) will not work on set[ug]id >> programs. libc can be trusted here. > > Is this Linux specific? (There can be a Hurd port in the sarge > release). Of course the same protection is present in GNU/Hurd. Btw: this problem (`how to find out your id[s]') is even trickier in GNU/Hurd. Let's have a look at how fakeroot is implemented in GNU/Hurd. Instead of using a libfakeroot trick, we simply use our own features for that, which can do much better. Authentication in the Hurd is based on the `auth' server. Now, in the Hurd it is possible to use other auth servers than the default system server. Glibc functions working with IDs in fact communicate with the auth server. If you use your own auth server, then getuid() returns whatever that auth server tells you (of course, faking your auth server does not raise your permissions in the system at all, since that auth server is private to you). Now, back to fakeroot. Fakeroot in GNU/Hurd consists of: * a command line program (fakeauth), which creates a new auth server and runs a program with the auth server changed accordingly. This makes getuid() and friends behave like if the program would run as root; * a filesystem server, which is used for faking filesystem accesses - this makes chmod/chown work accordingly. moritz -- [EMAIL PROTECTED] - http://duesseldorf.ccc.de/~moritz/ GPG fingerprint = 3A14 3923 15BE FD57 FC06 B501 0841 2D7B 6F98 4199 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how to identify the superuser in C
On Thu, Dec 12, 2002 at 08:38:27AM +0900, Oohara Yuuma wrote: > On Wed, 11 Dec 2002 14:13:15 -0500, > Matt Zimmerman <[EMAIL PROTECTED]> wrote: > > On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote: > > > The problem is that there is fakeroot. getuid() == 0 or > > > geteuid() == 0 is not enough. PAM is an overkill. > > > I think seteuid(0) == 0 is the best approach. > > fakeroot (or any other dynamic linker tricks) will not work on set[ug]id > > programs. libc can be trusted here. > Is this Linux specific? (There can be a Hurd port in the sarge release). Any system which would allow system calls to be spoofed in privileged programs this way would have a gaping security hole. Your program would be the least of its worries. -- - mdz
Re: how to identify the superuser in C
On Wed, 11 Dec 2002 14:13:15 -0500, Matt Zimmerman <[EMAIL PROTECTED]> wrote: > On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote: > > The problem is that there is fakeroot. getuid() == 0 or > > geteuid() == 0 is not enough. PAM is an overkill. > > I think seteuid(0) == 0 is the best approach. > fakeroot (or any other dynamic linker tricks) will not work on set[ug]id > programs. libc can be trusted here. Is this Linux specific? (There can be a Hurd port in the sarge release). -- Oohara Yuuma <[EMAIL PROTECTED]> Debian developer PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695 smile to answer --- Treasure, "Radiant Silvergun", attitude #3 for SBS-130
Re: how to identify the superuser in C
On Thu, Dec 12, 2002 at 08:38:27AM +0900, Oohara Yuuma wrote: > On Wed, 11 Dec 2002 14:13:15 -0500, > Matt Zimmerman <[EMAIL PROTECTED]> wrote: > > On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote: > > > The problem is that there is fakeroot. getuid() == 0 or > > > geteuid() == 0 is not enough. PAM is an overkill. > > > I think seteuid(0) == 0 is the best approach. > > fakeroot (or any other dynamic linker tricks) will not work on set[ug]id > > programs. libc can be trusted here. > Is this Linux specific? (There can be a Hurd port in the sarge release). Any system which would allow system calls to be spoofed in privileged programs this way would have a gaping security hole. Your program would be the least of its worries. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how to identify the superuser in C
On Wed, 11 Dec 2002 14:13:15 -0500, Matt Zimmerman <[EMAIL PROTECTED]> wrote: > On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote: > > The problem is that there is fakeroot. getuid() == 0 or > > geteuid() == 0 is not enough. PAM is an overkill. > > I think seteuid(0) == 0 is the best approach. > fakeroot (or any other dynamic linker tricks) will not work on set[ug]id > programs. libc can be trusted here. Is this Linux specific? (There can be a Hurd port in the sarge release). -- Oohara Yuuma <[EMAIL PROTECTED]> Debian developer PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695 smile to answer --- Treasure, "Radiant Silvergun", attitude #3 for SBS-130 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how to identify the superuser in C
On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote: > The problem is that there is fakeroot. getuid() == 0 or > geteuid() == 0 is not enough. PAM is an overkill. > I think seteuid(0) == 0 is the best approach. fakeroot (or any other dynamic linker tricks) will not work on set[ug]id programs. libc can be trusted here. -- - mdz
Re: how to identify the superuser in C
On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote: > The problem is that there is fakeroot. getuid() == 0 or > geteuid() == 0 is not enough. PAM is an overkill. > I think seteuid(0) == 0 is the best approach. fakeroot (or any other dynamic linker tricks) will not work on set[ug]id programs. libc can be trusted here. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how to identify the superuser in C
Well what happened is I secrued up and sent it to just Oohara and not to the list. Well I tried but sent it to [EMAIL PROTECTED] So that not working I opened it out of my sent items and just forwarded it to the list but the singing got screwed up. Chirs On Wed, 2002-12-11 at 06:14, Adrian 'Dagurashibanipal' von Bidder wrote: > On Wed, 2002-12-11 at 03:58, Chris Shafer wrote: > > Hello, > > Some documentation I found helpful when I was doing something similar in > [...] > > Just wondering... > > Content-Type: multipart/mixed instead of multipart/signed. Your mailer > buggy? > > cheers > -- vbi > > -- > featured link: http://fortytwo.ch/smtp signature.asc Description: This is a digitally signed message part
Re: how to identify the superuser in C
Well what happened is I secrued up and sent it to just Oohara and not to the list. Well I tried but sent it to [EMAIL PROTECTED] So that not working I opened it out of my sent items and just forwarded it to the list but the singing got screwed up. Chirs On Wed, 2002-12-11 at 06:14, Adrian 'Dagurashibanipal' von Bidder wrote: > On Wed, 2002-12-11 at 03:58, Chris Shafer wrote: > > Hello, > > Some documentation I found helpful when I was doing something similar in > [...] > > Just wondering... > > Content-Type: multipart/mixed instead of multipart/signed. Your mailer > buggy? > > cheers > -- vbi > > -- > featured link: http://fortytwo.ch/smtp signature.asc Description: This is a digitally signed message part
Re: how to identify the superuser in C
On Wed, 2002-12-11 at 03:58, Chris Shafer wrote: > Hello, > Some documentation I found helpful when I was doing something similar in [...] Just wondering... Content-Type: multipart/mixed instead of multipart/signed. Your mailer buggy? cheers -- vbi -- featured link: http://fortytwo.ch/smtp signature.asc Description: This is a digitally signed message part
Re: how to identify the superuser in C
On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote:
> I am working on adding a high score list to a game written in C.
> (It's already packaged.) The high score list will be 664 root:games
> and the game binary will be sgid games --- nothing special here.
> I want to dump and undump the list. Allowing everyone to undump
> the list will lead to cheating or even security problems, so I want to
> make sure that only the superuser may undump. Since the binary is
> sgid, some check is necessary before trying to write the list.
>
> The problem is that there is fakeroot. getuid() == 0 or
> geteuid() == 0 is not enough. PAM is an overkill.
> I think seteuid(0) == 0 is the best approach.
> Any opinion?
It shouldn't be possible [0] to preload libraries for set[ug]id
executables, so fakeroot shouldn't be able to work.
A simple test / demonstration: compile this source:
--- begin uid.c ---
int main () {
printf ("uid %i euid %i\n", getuid(), geteuid());
return 0;
}
--- end uid.c ---
then:
$ gcc -o uid uid.c
$ su
Password:
# chgrp games uid
# chmod 2555 uid
# exit
$ ls -al uid
-r-xr-sr-x1 waokigames5254 Dec 11 01:59 uid
$ id
uid=1000(waoki) gid=1000(waoki)
groups=1000(waoki),4(adm),20(dialout),24(cdrom),29(audio),16(mol)
$ ./uid
uid 1000 euid 1000
$ fakeroot id
uid=0(root) gid=0(root)
groups=1000(waoki),4(adm),20(dialout),24(cdrom),29(audio),16(mol)
$ fakeroot ./uid
./uid: error while loading shared libraries: libfakeroot.so.0: cannot open
shared object file: No such file or directory
$
[0] there is an exceptional case - see the ld.so manpage - but it
dosen't apply here.
--
William Aoki [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign
B1FB C169 C7A6 238B 280B <- key change\ / No HTML in mail or news!
99AF A093 29AE 0AE1 9734 prev. expiredX
/ \
Re: how to identify the superuser in C
On Wed, 2002-12-11 at 03:58, Chris Shafer wrote: > Hello, > Some documentation I found helpful when I was doing something similar in [...] Just wondering... Content-Type: multipart/mixed instead of multipart/signed. Your mailer buggy? cheers -- vbi -- featured link: http://fortytwo.ch/smtp signature.asc Description: This is a digitally signed message part
Re: how to identify the superuser in C
On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote:
> I am working on adding a high score list to a game written in C.
> (It's already packaged.) The high score list will be 664 root:games
> and the game binary will be sgid games --- nothing special here.
> I want to dump and undump the list. Allowing everyone to undump
> the list will lead to cheating or even security problems, so I want to
> make sure that only the superuser may undump. Since the binary is
> sgid, some check is necessary before trying to write the list.
>
> The problem is that there is fakeroot. getuid() == 0 or
> geteuid() == 0 is not enough. PAM is an overkill.
> I think seteuid(0) == 0 is the best approach.
> Any opinion?
It shouldn't be possible [0] to preload libraries for set[ug]id
executables, so fakeroot shouldn't be able to work.
A simple test / demonstration: compile this source:
--- begin uid.c ---
int main () {
printf ("uid %i euid %i\n", getuid(), geteuid());
return 0;
}
--- end uid.c ---
then:
$ gcc -o uid uid.c
$ su
Password:
# chgrp games uid
# chmod 2555 uid
# exit
$ ls -al uid
-r-xr-sr-x1 waokigames5254 Dec 11 01:59 uid
$ id
uid=1000(waoki) gid=1000(waoki)
groups=1000(waoki),4(adm),20(dialout),24(cdrom),29(audio),16(mol)
$ ./uid
uid 1000 euid 1000
$ fakeroot id
uid=0(root) gid=0(root)
groups=1000(waoki),4(adm),20(dialout),24(cdrom),29(audio),16(mol)
$ fakeroot ./uid
./uid: error while loading shared libraries: libfakeroot.so.0: cannot open shared
object file: No such file or directory
$
[0] there is an exceptional case - see the ld.so manpage - but it
dosen't apply here.
--
William Aoki [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign
B1FB C169 C7A6 238B 280B <- key change\ / No HTML in mail or news!
99AF A093 29AE 0AE1 9734 prev. expiredX
/ \
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how to identify the superuser in C
On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote: > The problem is that there is fakeroot. getuid() == 0 or > geteuid() == 0 is not enough. PAM is an overkill. > I think seteuid(0) == 0 is the best approach. > Any opinion? i may be mistaken, but if you link statically against the libraries that provide getuid, you no longer have the problem of geteuid() == 0, correct? it'll make your code bigger, but i think it'll prevent someone from slipping in a dynamically linked library that provides a more "liberal" attitude towards uids.. sean pgpNvPuNHJdqH.pgp Description: PGP signature
Re: how to identify the superuser in C
Hello, Some documentation I found helpful when I was doing something similar in a little game I was making. http://www.cs.utah.edu/dept/old/texinfo/glibc-manual-0.02/library_25.html#SEC429 Chris Shafer Live Slow. Sail Fast On Tue, 2002-12-10 at 21:07, Oohara Yuuma wrote: > I am working on adding a high score list to a game written in C. > (It's already packaged.) The high score list will be 664 root:games > and the game binary will be sgid games --- nothing special here. > I want to dump and undump the list. Allowing everyone to undump > the list will lead to cheating or even security problems, so I want to > make sure that only the superuser may undump. Since the binary is > sgid, some check is necessary before trying to write the list. > > The problem is that there is fakeroot. getuid() == 0 or > geteuid() == 0 is not enough. PAM is an overkill. > I think seteuid(0) == 0 is the best approach. > Any opinion? > > -- > Oohara Yuuma <[EMAIL PROTECTED]> > Debian developer > PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt > Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695 > > smile to answer > --- Treasure, "Radiant Silvergun", attitude #3 for SBS-130 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > signature.asc Description: This is a digitally signed message part
how to identify the superuser in C
I am working on adding a high score list to a game written in C. (It's already packaged.) The high score list will be 664 root:games and the game binary will be sgid games --- nothing special here. I want to dump and undump the list. Allowing everyone to undump the list will lead to cheating or even security problems, so I want to make sure that only the superuser may undump. Since the binary is sgid, some check is necessary before trying to write the list. The problem is that there is fakeroot. getuid() == 0 or geteuid() == 0 is not enough. PAM is an overkill. I think seteuid(0) == 0 is the best approach. Any opinion? -- Oohara Yuuma <[EMAIL PROTECTED]> Debian developer PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695 smile to answer --- Treasure, "Radiant Silvergun", attitude #3 for SBS-130
Re: how to identify the superuser in C
On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote: > The problem is that there is fakeroot. getuid() == 0 or > geteuid() == 0 is not enough. PAM is an overkill. > I think seteuid(0) == 0 is the best approach. > Any opinion? i may be mistaken, but if you link statically against the libraries that provide getuid, you no longer have the problem of geteuid() == 0, correct? it'll make your code bigger, but i think it'll prevent someone from slipping in a dynamically linked library that provides a more "liberal" attitude towards uids.. sean msg08115/pgp0.pgp Description: PGP signature
Re: how to identify the superuser in C
Hello, Some documentation I found helpful when I was doing something similar in a little game I was making. http://www.cs.utah.edu/dept/old/texinfo/glibc-manual-0.02/library_25.html#SEC429 Chris Shafer Live Slow. Sail Fast On Tue, 2002-12-10 at 21:07, Oohara Yuuma wrote: > I am working on adding a high score list to a game written in C. > (It's already packaged.) The high score list will be 664 root:games > and the game binary will be sgid games --- nothing special here. > I want to dump and undump the list. Allowing everyone to undump > the list will lead to cheating or even security problems, so I want to > make sure that only the superuser may undump. Since the binary is > sgid, some check is necessary before trying to write the list. > > The problem is that there is fakeroot. getuid() == 0 or > geteuid() == 0 is not enough. PAM is an overkill. > I think seteuid(0) == 0 is the best approach. > Any opinion? > > -- > Oohara Yuuma <[EMAIL PROTECTED]> > Debian developer > PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt > Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695 > > smile to answer > --- Treasure, "Radiant Silvergun", attitude #3 for SBS-130 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > signature.asc Description: This is a digitally signed message part
how to identify the superuser in C
I am working on adding a high score list to a game written in C. (It's already packaged.) The high score list will be 664 root:games and the game binary will be sgid games --- nothing special here. I want to dump and undump the list. Allowing everyone to undump the list will lead to cheating or even security problems, so I want to make sure that only the superuser may undump. Since the binary is sgid, some check is necessary before trying to write the list. The problem is that there is fakeroot. getuid() == 0 or geteuid() == 0 is not enough. PAM is an overkill. I think seteuid(0) == 0 is the best approach. Any opinion? -- Oohara Yuuma <[EMAIL PROTECTED]> Debian developer PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695 smile to answer --- Treasure, "Radiant Silvergun", attitude #3 for SBS-130 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
