Re: Tracing by uid u after root does setuid(u)

From: James Mathiesen (James-Mathiesenat_private)
Date: Fri Jan 15 1999 - 06:04:58 PST

Next message: Roy Hooper: "Re: NIS and NIS+ ephemeral ports"

Previous message: Peter van Dijk: "Re: test-cgi - Re: HTTP REQUEST METHOD flaw"
Maybe in reply to: D. J. Bernstein: "Tracing by uid u after root does setuid(u)"
Next in thread: D. J. Bernstein: "Re: Tracing by uid u after root does setuid(u)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Since the patch, programs that are set-uid, call set*uid or set*gid cannot
> be traced and cannot dump core.  (Which upset yet another batch of
> customers so there's an option in Solaris 7 to make set-uid programs
> dump core if the kernel is so configured)

What's the option?  There are a number of times when I would have loved the
ability to enable this temporarily.

One interesting thing about the Solaris implementation of proc(4) is that it
actually does go back and stat the executable when it is checking if it is
readable rather than saving the information during exec().  There are
definitely some minor security implications here, which I haven't thought
about much.

And there's yet another interesting behavior related to this:

        1) Compile an executable such as

                main()
                {
                        sleep(10000);
                }

           And place it on an NFS server.

        2) Run the executable from an NFS client under a non-root uid

        3) On the NFS server unlink the executable (or use another NFS
           client, anything so the inode is gone instead of becoming a
           .nfsXXXX)

        4) On the NFS client try to open /proc/<pid> using the same UID which
           is running the program.  This process will go into a tight loop
           in kernel mode repeatedly stat'ing the executable from step 2
           despite getting ESTALE from the NFS server on each try.  Fortunately
           the operation is interruptable.

Step 4 has to be a proc operation which requires checking the mode of the
executable.  From 2.6 proc(4):

     For security reasons, except for the psinfo, usage, lpsinfo,
     lusage, lwpsinfo, and lwpusage files, which are  world-read-
     able, and except for the super-user, an open of a /proc file
     fails unless both the user-ID and  group-ID  of  the  caller
     match  those  of the traced process and the process's object
     file is readable by the caller.  Except for the  world-read-
     able files just mentioned, files corresponding to setuid and
     setgid processes can be opened only by the super-user.

This appears to still be the case in 2.7.  I actually tried to get Sun
to accept the looping as a bug with 2.5.1, but did not succeed.  I've
never quite gotten the hang of interacting with engineering.

Probably just saving the readable status during exec() would be the
most correct solution.

james

Next message: Roy Hooper: "Re: NIS and NIS+ ephemeral ports"
Previous message: Peter van Dijk: "Re: test-cgi - Re: HTTP REQUEST METHOD flaw"
Maybe in reply to: D. J. Bernstein: "Tracing by uid u after root does setuid(u)"
Next in thread: D. J. Bernstein: "Re: Tracing by uid u after root does setuid(u)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:55 PDT