Quoting Brent Chapman:
>
> Jukka Ukkonen <ukkonen@csc.fi> writes:
>
> #
> # I have been reading your discussion about files, UIDs, GIDs,
> # and protections with somewhat puzzled feelings. Has anyone
> # of you tried making the wrapper.c do something like this?
> #
> # pwdp = getpwnam(MAJORDOMO_USER);
> #
> # if (!pwdp) {
> # fprintf (stderr, "%s: Dedicated user ID (%s) not found\n",
> # argv[0], MAJORDOMO_USER);
> # exit (-1);
> # }
> #
> # setgid (pwdp->pw_gid);
> # setuid (pwdp->pw_uid);
>
> You'd have to make "wrapper" setuid to "root" in order for this to
> work, and I don't think that's a good idea.
I think you have yourself justified my original comment and
slipped to read or think my comment carefully. Just, read on...
> If I was a sysadmin and didn't know anything in particular about
> Majordomo, and one of my users asked me to install it, and I found
> that it had a program whose only purpose was to run other programs
> that had to be run setuid to "root", I'd probably stop right there and
> tell my user "No, it looks too dangerous, and I don't have time to
> stare at the code to try and figure out if it's safe or not".
Somehow I fail to see your point here as the next couple of
short extracts from the Makefile and wrapper.c are just as
they are in the majordomo distribution package.
Makefile:
---------
# If you're using a POSIX-compliant system, uncomment this set of parameters
# and comment out the BSD settings above.
# W_UID = 1
# W_GID = 15
# W_CHOWN=root
# W_CHMOD=4755
# WRAPPER_FLAGS = -DBIN=\"${W_BIN}\" -DPATH=\"PATH=${W_PATH}\" \
# -DHOME=\"HOME=${W_HOME}\" -DSHELL=\"SHELL=${W_SHELL}\" \
# -DMAJORDOMO_CF=\"MAJORDOMO_CF=${W_MAJORDOMO_CF}\" \
# -DPOSIX_UID=${W_UID} -DPOSIX_GID=${W_GID}
wrapper.c:
----------
#ifdef POSIX_GID
setgid(POSIX_GID);
#else
setgid(getegid());
#endif
#ifdef POSIX_UID
setuid(POSIX_UID);
#else
setuid(geteuid());
#endif
The easiest way is to stick always to the POSIX rule which makes
it obligatory for every program executing the setuid() call to
start their life as root. My proposal was absolutely no hazard
to the system security though. They never will be if I can help
it.
It will not change anything to the worse if one takes the new
UID and GID from the passwd file instead of compiling them in.
You MUST DEDICATE a username for majordomo to use in this case
but you would have to give it a dedicated UID and GID supposedly
recording them in the passwd file anyway and this way you also
avoid having to recompile the wrapper if you ever wish to change
the UID and GID you want it to use.
In addition it is easier for one to keep in sync the UID and
GID in the passwd file with the files majordomo has to control
than to try to syncronize the compiled in UID & GID or run-time
effective UID & GID with the controlled files.
If you have read this far you should be convinced my original
comment was in fact quite valid. (Q.E.D. ;-)
Cheers,
// jau
------
/ Jukka A. Ukkonen, M.Sc. (tech.) Centre for Scientific Computing
/__ Internet: ukkonen@csc.fi Tel: (Home) +358-0-578628
/ Internet: jau@cs.tut.fi (Work) +358-0-4573208
v X.400: c=fi, admd=fumail, no prmd, org=csc, pn=jukka.ukkonen
References:
|
|
