Date: Fri, 13 Nov 2015 09:27:21 +0100 From: Matthias Apitz <guru@unixarea.de> To: Trond =?utf-8?Q?Endrest=C3=B8l?= <Trond.Endrestol@fagskolen.gjovik.no> Cc: FreeBSD Questions <freebsd-questions@freebsd.org>, Maurice Massar <vpnc@unix-ag.uni-kl.de> Subject: Re: vpnc && setuid Message-ID: <20151113082721.GA2056@c720-r276659> In-Reply-To: <alpine.BSF.2.20.1511121527501.22820@mail.fig.ol.no> References: <20151112093622.GA3261@c720-r276659> <CALfReydC1JD1LNUHHPev=q7WA98b52mootDngOQmEtXTUKkWYA@mail.gmail.com> <20151112101333.GA3606@c720-r276659> <CALfReydZkhuAjqphEsBkn%2B%2BzV1emBj5VUjfSpe%2BDyOr=mmZdDw@mail.gmail.com> <20151112120549.GA3983@c720-r276659> <20151112134447.GA4418@c720-r276659> <alpine.BSF.2.20.1511121527501.22820@mail.fig.ol.no>
next in thread | previous in thread | raw e-mail | index | archive | help
El día Thursday, November 12, 2015 a las 03:30:26PM +0100, Trond Endrestøl escribió: > > What is so magic with /usr/local/sbin/vpnc that it does not run with > > setuid? > > Maybe vpnc calls setuid(2) and changes the effective uid to the real > uid before reading the configuration file. Inspecting the source code > or running ktrace should verify or falsify my assumption. I managed to run vpnc as normal user with an attached ktrace as root (I modified the source of vpnc to insert a sleep to be able to attach ktrace as root from another terminal); it turns out that vpnc drops the privs: ... 31019 vpnc NAMI "/etc/gcrypt/fips_enabled" 31019 vpnc RET access -1 errno 2 No such file or directory 31019 vpnc CALL open(0x280face4,0<O_RDONLY>,<unused>0x1b6) 31019 vpnc NAMI "/proc/sys/crypto/fips_enabled" 31019 vpnc RET open -1 errno 2 No such file or directory 31019 vpnc CALL open(0x280fa9a8,0<O_RDONLY>,<unused>0x1b6) 31019 vpnc NAMI "/etc/gcrypt/hwf.deny" 31019 vpnc RET open -1 errno 2 No such file or directory 31019 vpnc CALL __sysctl(0xbfbfde1c,0x2,0xbfbfde18,0xbfbfde24,0,0) 31019 vpnc SCTL "p1003_1b.pagesize" 31019 vpnc RET __sysctl 0 31019 vpnc CALL mmap(0,0x4000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,0xffffffff,0,0) 31019 vpnc RET mmap 671645696/0x28088000 31019 vpnc CALL getuid 31019 vpnc RET getuid 1001/0x3e9 31019 vpnc CALL mlock(0x28088000,0x4000) 31019 vpnc RET mlock 0 31019 vpnc CALL geteuid 31019 vpnc RET geteuid 0 31019 vpnc CALL setuid(0x3e9) 31019 vpnc RET setuid 0 31019 vpnc CALL getuid 31019 vpnc RET getuid 1001/0x3e9 31019 vpnc CALL geteuid 31019 vpnc RET geteuid 1001/0x3e9 31019 vpnc CALL setuid(0) 31019 vpnc RET setuid -1 errno 1 Operation not permitted ... The calls *uid() are not in the source tree of vpnc itself, they must be invoked from some used infrastructure libs. I will not further debug this as the TODO of vpnc itself says: ... * optional drop root (rekey? reconnect? vpnc-script calls?) - Don't drop privileges, ever, but allow to be run suid. - If euid != ruid, clear out env on program start. - Sanitize variables for vpnc-script (snarf code from callscript.c from dhcpclient). - If euid != ruid, disable command line options (but not the profile parameter). - If euid != ruid, treat profiles as filenames only. They must not be paths, i.e. contain PATHSEP. Read them relative to /etc/vpnc. - Make sure vpnc-disconnect only kills processes owned by same user. ... Thx matthias -- Matthias Apitz, ✉ guru@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151113082721.GA2056>