Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 13 Nov 2015 09:27:21 +0100
From:      Matthias Apitz <guru@unixarea.de>
To:        Trond =?utf-8?Q?Endrest=C3=B8l?= <Trond.Endrestol@fagskolen.gjovik.no>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>, Maurice Massar <vpnc@unix-ag.uni-kl.de>
Subject:   Re: vpnc && setuid
Message-ID:  <20151113082721.GA2056@c720-r276659>
In-Reply-To: <alpine.BSF.2.20.1511121527501.22820@mail.fig.ol.no>
References:  <20151112093622.GA3261@c720-r276659> <CALfReydC1JD1LNUHHPev=q7WA98b52mootDngOQmEtXTUKkWYA@mail.gmail.com> <20151112101333.GA3606@c720-r276659> <CALfReydZkhuAjqphEsBkn%2B%2BzV1emBj5VUjfSpe%2BDyOr=mmZdDw@mail.gmail.com> <20151112120549.GA3983@c720-r276659> <20151112134447.GA4418@c720-r276659> <alpine.BSF.2.20.1511121527501.22820@mail.fig.ol.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
El día Thursday, November 12, 2015 a las 03:30:26PM +0100, Trond Endrestøl escribió:

> > What is so magic with /usr/local/sbin/vpnc that it does not run with
> > setuid?
> 
> Maybe vpnc calls setuid(2) and changes the effective uid to the real 
> uid before reading the configuration file. Inspecting the source code 
> or running ktrace should verify or falsify my assumption.

I managed to run vpnc as normal user with an attached ktrace as root (I
modified the source of vpnc to insert a sleep to be able to attach
ktrace as root from another terminal); it turns out that vpnc drops the
privs:

 ...
 31019 vpnc     NAMI  "/etc/gcrypt/fips_enabled"
 31019 vpnc     RET   access -1 errno 2 No such file or directory
 31019 vpnc     CALL  open(0x280face4,0<O_RDONLY>,<unused>0x1b6)
 31019 vpnc     NAMI  "/proc/sys/crypto/fips_enabled"
 31019 vpnc     RET   open -1 errno 2 No such file or directory
 31019 vpnc     CALL  open(0x280fa9a8,0<O_RDONLY>,<unused>0x1b6)
 31019 vpnc     NAMI  "/etc/gcrypt/hwf.deny"
 31019 vpnc     RET   open -1 errno 2 No such file or directory
 31019 vpnc     CALL  __sysctl(0xbfbfde1c,0x2,0xbfbfde18,0xbfbfde24,0,0)
 31019 vpnc     SCTL  "p1003_1b.pagesize"
 31019 vpnc     RET   __sysctl 0
 31019 vpnc     CALL  mmap(0,0x4000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,0xffffffff,0,0)
 31019 vpnc     RET   mmap 671645696/0x28088000
 31019 vpnc     CALL  getuid
 31019 vpnc     RET   getuid 1001/0x3e9
 31019 vpnc     CALL  mlock(0x28088000,0x4000)
 31019 vpnc     RET   mlock 0
 31019 vpnc     CALL  geteuid
 31019 vpnc     RET   geteuid 0
 31019 vpnc     CALL  setuid(0x3e9)
 31019 vpnc     RET   setuid 0
 31019 vpnc     CALL  getuid
 31019 vpnc     RET   getuid 1001/0x3e9
 31019 vpnc     CALL  geteuid
 31019 vpnc     RET   geteuid 1001/0x3e9
 31019 vpnc     CALL  setuid(0)
 31019 vpnc     RET   setuid -1 errno 1 Operation not permitted
 ...

The calls *uid() are not in the source tree of vpnc itself, they must be
invoked from some used infrastructure libs. 

I will not further debug this as the TODO of vpnc itself says:

...
* optional drop root (rekey? reconnect? vpnc-script calls?)
  - Don't drop privileges, ever, but allow to be run suid.
  - If euid != ruid, clear out env on program start.
  - Sanitize variables for vpnc-script (snarf code from
    callscript.c from dhcpclient).
  - If euid != ruid, disable command line options (but not the profile
    parameter).
  - If euid != ruid, treat profiles as filenames only. They must not
    be paths, i.e. contain PATHSEP. Read them relative to /etc/vpnc.
  - Make sure vpnc-disconnect only kills processes owned by same user.
...

Thx

	matthias

-- 
Matthias Apitz, ✉ guru@unixarea.de, 🌐 http://www.unixarea.de/  ☎ +49-176-38902045

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151113082721.GA2056>