OW2 Consortium contrail

Compare Revisions

Ignore whitespace Rev 6370 → Rev 6371

/trunk/resource/safeconfig/safeconfig.1
104,19 → 104,22
.PP
Although
.I safeconfig
is run with root permissions, it first lowers its privileges to
that of the invoking user before reading a configuration file (and
fails if the user cannot read the file). It then lowers
its privileges to the group and user id of the configuration file
before it runs any commands.
Since Unix only allows root to change file ownership,
as an unprivileged user you cannot escalate your privileges
by simply creating a configuration file: the configuration file is owned
by you, and the commands in it will be executed with the privileges you
already have. However, anyone who can read your configuration file can
run the commands in it with your privileges.
Similarly, a user can only change the group of a file to a group he is a
member of, so again no escalation of privileges is possible that way.
is run with root permissions, it first lowers its privileges to that
of the invoking user before reading a configuration file (and fails
if the user cannot read the file). If the configuration file has the
set-user-ID-on-execution permission set, it then changes the user id to
that of the configuration file before it runs any commands. Similarly,
if the configuration file has the set-group-ID-on-execution permission
set, the group id is changed to that of the configuration file before any
commands are run. Since Unix only allows root to change file ownership,
as an unprivileged user you cannot escalate your privileges by creating
a configuration file: the configuration file is owned by you, and the
commands in it will be read and executed with the privileges you already
have. Similarly, you can only change the group of a file to a group
you are a member of, so again no escalation of privileges is possible.
However, the owner of the configuration file can give you permission
to run the configuration file with their privileges by setting the
set-user-ID-on-execution and/or the set-group-ID-on-execution permissions.
As an additional security measure,
.I safeconfig
refuses to run configurations that are group- or world-writable.
/trunk/resource/safeconfig/src/main.c
50,7 → 50,6
" -r Show the commands that are run\n"
" -s<var> Set variable <var> to the empty string\n"
" -s<var>=<val> Set variable <var> to string <val>\n"
" -z<script> Write a shell script to implement this config\n"
"\n"
;
 
/trunk/resource/safeconfig/src/util.c
294,24 → 294,39
exit( EXIT_FAILURE );
}
 
if(stat_data.st_uid != geteuid() || stat_data.st_gid != getegid()){
// We may want to change the uid if we originally were root.
int res = seteuid(0);
if(res != 0){
// Nope, we will have to make do with what we have
return;
}
res = setegid(stat_data.st_gid);
if(res != 0){
sys_error( errno, "cannot set egid to %d", stat_data.st_gid);
exit( EXIT_FAILURE );
}
res = seteuid(stat_data.st_uid);
if(res != 0){
sys_error( errno, "cannot set euid to %d", stat_data.st_uid);
exit( EXIT_FAILURE );
}
// We may want to change the uid if we originally were root.
res = seteuid(0);
if(res != 0){
// We were not root, we will have to make do with what we have
return;
}
// We're root again. Only use that privilege to
// honor the ISGID or ISUID bits
if((stat_data.st_mode & S_ISGID) != 0){
// Honor the set-group-ID-on-execution permission
res = setegid(stat_data.st_gid);
if(res != 0){
sys_error( errno, "cannot set egid to %d", stat_data.st_gid);
exit( EXIT_FAILURE );
}
}
int uid;
if((stat_data.st_mode & S_ISUID) != 0){
// Honor the set-user-ID-on-execution permission
uid = stat_data.st_uid;
}
else {
// No special bits, go back to the invoking uid.
uid = getuid();
}
res = seteuid(uid);
if(res != 0){
sys_error( errno, "cannot set euid to %d", uid);
exit( EXIT_FAILURE );
}
// If we're still root at this point, it is because
// set S_ISUID bit was set, and the owner of the file is root,
// or the program is run as root.
}