Re: strace security <feature>

Richard B. Johnson (root@chaos.analogic.com)
Thu, 30 Dec 1999 09:32:30 -0500 (EST)

On Thu, 30 Dec 1999, Peter Benie wrote:

> Alan Cox writes ("Re: strace security <feature>"):
> > > It is possible for an ordinary user to use `strace` (which by default
> > > runs SUID-root), to copy a password file to /etc.
> >
> > strace is not meant to be installed setuid root.
>
> That's not entirely true - see the 'setuid installation' section of
> the manpage. If you've ever needed to trace a setuid program, it's
> obvious why this feature exists. The manpage does give a clear
> explanation of the security implications, so the 'bug' is still an
> installation error.
>
> Peter
>
> -

Some history:
The base distribution on this system was an old RedHat distribution
Over some time many compilers/tools/etc have been upgraded. However,
since this system has no accounts other than myself, I am sure that
strace was never specifically set to suid-root by myself. It is possible
that any of the software installation procedures, required to be
installed by root could have set this as a future back-door (watch out).

Further, the suid bit only sets the EUID during exec, not UID and GID.
Previously a privileged program would have to specifically set its UID
and GID to obtain privilege. In other words, EUID was only checked on
setuid()/setgid() calls. The call would fail if the EUID was not 0.

All other system calls would check UID/GID only and fail without
privilege.

Now I see the rules have been changed so that if the EUID *or* the UID
are 0, the system calls are allowed to function as though the UID was 0.
If this corresponds to later POSIX rules, the committee should consider
the implications without regard to maintaining reverse compatibility.

Certainly `cp` never attempted to obtain root privilege so the suid-root
bit set in its parent's file should have done nothing.

Also, I think I have read (recently) that, for a program to function
suid-root, it must be owned by root and exist in a root-owned directory.
This does not seem to be in current implementation, I can make a suid-root
program, put it in a directory owned by 200.200, and it still shows
the EUID as 0.

main()
{
printf("UID = %d, GID = %d, EUID = %d\n", getuid(), getgid(), geteuid());
}

Script started on Thu Dec 30 09:09:46 1999
$ alias ls=ls
$ ls
elv_12b.1 typescript xxx xxx.c
$ ls -la .
total 39
drwxrwxrwx 2 200 200 1024 Dec 30 09:09 .
drwxr-xr-x 24 root root 1024 Dec 30 07:49 ..
-rw------- 1 root root 30720 Dec 30 09:07 elv_12b.1
-rw-r--r-- 1 johnson guru 0 Dec 30 09:09 typescript
-rwsr-xr-x 1 root root 4495 Dec 30 07:50 xxx
-rw-r--r-- 1 root root 91 Dec 30 07:50 xxx.c
$ xxx
UID = 100, GID = 100, EUID = 0
$ exit
exit

Script done on Thu Dec 30 09:10:22 1999

You can see that the script is being executed by johnson '100.100',
the directory is owned by 200.200 and the suid program is owned
by root.

The EUID should have remained at 100.

It does comply with the rule about root ownership, but the directory
can be owned by anybody.

Cheers,
Dick Johnson

Penguin : Linux version 2.3.13 on an i686 machine (400.59 BogoMips).
Warning : The end of the world as we know it requires a new calendar.
Seconds : 138450 (until Y2K)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/