|
Home > Archive > Unix Programming > November 2005 > suid clarification
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
suid clarification
|
|
| puzzlecracker 2005-10-30, 2:48 am |
| Here is my configuration:
User A owns a program , let's call it printer that has suid bit set.It
accepts a list of files from different users. For each such file, it
should (if the file is readable by the actual user) and run a command,
result of which should be writen to a file only writable by user A.
User B passes run a program owned A.
What happens if the user A doesn't any permissions for files readable
by B, can it still run a command for the file is now accessed with
effective permissions of A?
Is it enough to chmod 644 output file (where the User's A program
prints an output from the command)" to prevent any security holes?
Thanks
| |
| Pascal Bourguignon 2005-10-30, 2:48 am |
| "puzzlecracker" <ironsel2000@gmail.com> writes:
> Here is my configuration:
>
> User A owns a program , let's call it printer that has suid bit set.It
> accepts a list of files from different users. For each such file, it
> should (if the file is readable by the actual user) and run a command,
> result of which should be writen to a file only writable by user A.
>
> User B passes run a program owned A.
>
> What happens if the user A doesn't any permissions for files readable
> by B, can it still run a command for the file is now accessed with
> effective permissions of A?
man seteuid
> Is it enough to chmod 644 output file (where the User's A program
> prints an output from the command)" to prevent any security holes?
No. Special care should be taken at all steps to prevent any security holes.
--
__Pascal Bourguignon__ http://www.informatimago.com/
The mighty hunter
Returns with gifts of plump birds,
Your foot just squashed one.
| |
| Gordon Burditt 2005-10-30, 2:48 am |
| >Here is my configuration:
>
>User A owns a program , let's call it printer that has suid bit set.It
>accepts a list of files from different users. For each such file, it
>should (if the file is readable by the actual user) and run a command,
It should run a command, which is presumably NOT setuid-C.
WHO supplies the command here? I hope it's the configuration,
not the invoking user.
>result of which should be writen to a file only writable by user A.
>User B passes run a program owned A.
parse no no English sense
>What happens if the user A doesn't any permissions for files readable
>by B, can it still run a command for the file is now accessed with
>effective permissions of A?
It can run the command (as A) if it has the necessary permissions to run
the command. Said command will likely fail to do anything useful
with files A can't read. If the command is run as the invoking user
(B), or it "drops privs" (setuid(getuid())), it might be able to
do something useful. (The idea here is that the setuid-A program
opens up a file writable only by A, makes it stdout, and then runs
a program as B which puts output into that file).
>Is it enough to chmod 644 output file (where the User's A program
>prints an output from the command)" to prevent any security holes?
What is your security model here? Is there any reason to believe
the output should be READABLE by B? Why?
Gordon L. Burditt
| |
| puzzlecracker 2005-10-30, 5:51 pm |
|
Gordon Burditt wrote:
>
> It should run a command, which is presumably NOT setuid-C.
> WHO supplies the command here? I hope it's the configuration,
> not the invoking user.
>
>
>
> parse no no English sense
>
>
> It can run the command (as A) if it has the necessary permissions to run
> the command. Said command will likely fail to do anything useful
> with files A can't read. If the command is run as the invoking user
> (B), or it "drops privs" (setuid(getuid())), it might be able to
> do something useful. (The idea here is that the setuid-A program
> opens up a file writable only by A, makes it stdout, and then runs
> a program as B which puts output into that file).
>
>
> What is your security model here? Is there any reason to believe
> the output should be READABLE by B? Why?
>
> Gordon L. Burditt
printer spooler.
| |
| Barry Margolin 2005-10-31, 2:49 am |
| In article <1130641587.552562.88220@g14g2000cwa.googlegroups.com>,
"puzzlecracker" <ironsel2000@gmail.com> wrote:
> Here is my configuration:
>
> User A owns a program , let's call it printer that has suid bit set.It
> accepts a list of files from different users. For each such file, it
> should (if the file is readable by the actual user) and run a command,
> result of which should be writen to a file only writable by user A.
>
> User B passes run a program owned A.
>
> What happens if the user A doesn't any permissions for files readable
> by B, can it still run a command for the file is now accessed with
> effective permissions of A?
>
>
>
> Is it enough to chmod 644 output file (where the User's A program
> prints an output from the command)" to prevent any security holes?
The program should use seteuid() to change to B, open the input file,
then use seteuid() to change back to A and write the output file.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
| |
| puzzlecracker 2005-10-31, 7:56 am |
|
Barry Margolin wrote:
> In article <1130641587.552562.88220@g14g2000cwa.googlegroups.com>,
> "puzzlecracker" <ironsel2000@gmail.com> wrote:
>
>
> The program should use seteuid() to change to B, open the input file,
> then use seteuid() to change back to A and write the output file.
>
> --
> Barry Margolin, barmar@alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***
what if I have to execute a command on the B's file prior to writing a
result of it A's output to the file (via system of course).. whould
this conflict with permissions?
| |
| Barry Margolin 2005-11-01, 2:59 am |
| In article <1130751536.466845.127730@g43g2000cwa.googlegroups.com>,
"puzzlecracker" <ironsel2000@gmail.com> wrote:
> Barry Margolin wrote:
>
> what if I have to execute a command on the B's file prior to writing a
> result of it A's output to the file (via system of course).. whould
> this conflict with permissions?
File permissions are only checked when opening a file. So once the
program has opened B's file, it can change to A and then process the
file.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
|
|
|
|
|