Mailinglist Archive: opensuse (1352 mails)

< Previous Next >
Re: [opensuse] Re: Problem with suid pgms on Leap-15.0
On 06/04/2018 02:29 PM, L A Walsh wrote:
Mark Hounschell wrote:
On 06/04/2018 09:27 AM, L A Walsh wrote:

To be clear, and I have tested this, I am not loosing my group memberships when I start the suid pgm or during its execution. They are simply not being passed to an exec'd external entity.
----
    That's not exactly clear to me.

    FWIW, I get annoyed at programs that mess with GID-based
access.  Groups are perfect for giving access to multiple accounts
owned by the same person, among other things...


1)    Let me repeat that back -- a program running as root (the suid pgm), execs another program and the groups disappear?
    OR) do you mean only execution of bash scripts?


Yes, the groups associated with the RUID go away. Both scripts and executables.

2) You say you used to do the exact same thing under 13.2? Using
  bash-4.2 and it worked?, but now under Leap-15 and bash-4.???
  it doesn't work?


Correct.

3) at what point in executing 'pgm+<whatever>', does the 'job' stop
  being 'root' -- or is it your belief that it stays root throughout
  execution until pgm terminates?


In the main (suid) pgm, the RUID and RGID remain the user UID and GID. The EUID, EGID, SUID, and SGID remain as root(0). When I execvpe something it executes as RUID and GUID. AND the EUID, GUID, SUID, and SGID are the real USERs (NOT 0) unless it is also an suid executable. And I do have one or 2 of those suid executables. I don't have SUID scripts. Not even sure that actually works. My main program continues execution as I specified the main pgm does above with no change. The child I execvpe, exits when complete, I assume, with the ID's as when it started. But I don't care what happens to it when it exits other than providing me with exit status. I believe the main suid pgm stays that way unless I un SUID it within the code which I do not do.

In the main program, not the example I provided,  I fork/exec/wait. The main process still has my group memberships after that. They just don't make it into the exec'd pgm/script.
---
    What is 'pgm'?  Is it a binary or some sort of script?
    How is the main-process run?  Is it setuid, or do you use a program like 'sudo', 'su', or 'runas' or ???

    How about the main process?  What type of program is it?


The main pgm is an SUID executable. No script. No su, sudo, or runas. Started via command line like any normal pgm.

    In the code I quoted, it looked like it was when resetting
groups before it dropped root -- that's why I'm asking if it keeps
root while executing everything, or if it drops it at some point, or what, since it sounded like you were saying the groups were dropped
when you became root -- but with *this* note, it sounds like that's
not the case either, but more in line with a fork or exec?


No, go back and read the OP. I only said that the groups associated with the RUID of the main pgm are gone in the execvpe's task/script.

It is not the fork but the execvpe that causes the groups associated with the RUID of the main task to get dropped in the new task/script. Groups are not dropped from the RUID in the main pgm at all. It is only what I execvpe that does not get the group assocations that the RUID should have.

    I had some other Q's, but had a phone call come in that caused a stack overflow in my brain....oh well.


The rpm provided by Dr. Werner Fink seems to have fixed it up.

There is a new response to your Bugzilla comment BTW.



(In reply to L. A. Walsh from comment #11)
> [...]
> The problem was the loss of supplementary group ID's upon becoming root [...]

Actually, his problem was the loss of supplementary group IDs when transitioning away from root.




And that makes sense to me. When I execvpe something, I am transitioning away from root.


Mark

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >