Great Circle Associates Majordomo-Workers
(August 2000)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Mj2: setuid wrappers are insecure?
From: SRE <eckert @ climber . org>
Date: Sat, 26 Aug 2000 00:16:16 -0700
To: majordomo-workers @ GreatCircle . COM, mj2-dev @ csf . colorado . edu

The Mj2 README file says:
>Majordomo2 includes its own setuid wrapper generation, so setuid shell
>scripts are not required.

I need some help finding several parts of the install code, because
not all the permissions seem to be set properly and the setuid wrappers
are open to exploits involving environment variables (e.g. LD_LIBRARY_PATH)
according to my sysadmin. The exploit stuff is way down below...

Running as dummy user "mj2", with uid=999 and gid=123, all of the install
steps finish normally (no warnings, no errors) but the final result isn't
good: Logged in as "mj2", I can invoke mj_shell and do stuff. Logged in as
anyone else, except root, the shell cannot be started:
     /home/mj2/bin/mj_shell: Permission denied

FIRST PROBLEM: The install procedure happily writes to a directory that
no one else, including the sendmail daemon, can read. In the path above
/home/mj2 had protections of 700, and whether or not /home/mj2/bin was
world readable it cannot even be seen on my Solaris 2.7 box.

Easy enough to fix, but can someone tell me how to fix it in install?
Each branch of the install path needs to be world readable (and for
directories that means world executable, I think). Please tell me if
I'm wrong, but the way I got it to work here was "chmod 755 /home/mj2".

Now I start wondering how this can work, since I was never root for
the entire installation process and I *did* choose to install the
setuid wrappers. That step SHOULD HAVE failed since my unprivileged
user doesn't have setuid authority (it's not in any powerful group,
it's certainly not root, etc) shouldn't it?.

 From the Mj2 README.DIRECTORIES file:
>If the setuid wrappers were built, the actual scripts will have a
>period prepended to their names.  Otherwise the script itself will be
>setuid.  The scripts which are wrapped/made setuid will differ
>depending on which MTA the system is running under.

OK, let's check:
>% cd /home/mj2/bin
>% ls -la
>total 794
>drwxr-xr-x   2 mj2      listserver     512 Aug 25 23:25 .
>drwxr-xr-x  11 mj2      listserver     512 Aug 25 23:26 ..
>-r-xr-xr-x   1 mj2      listserver    7252 Aug 25 23:23 .mj_confirm
>-r-xr-xr-x   1 mj2      listserver   17910 Aug 25 23:23 .mj_email
>-r-xr-xr-x   1 mj2      listserver   10104 Aug 25 23:23 .mj_enqueue
>-r-xr-xr-x   1 mj2      listserver   23565 Aug 25 23:23 .mj_shell
>-r-xr-xr-x   1 mj2      listserver    2266 Aug 25 23:23 .mj_shutdown
>-r-xr-xr-x   1 mj2      listserver   23145 Aug 25 23:23 .mj_wwwadm
>-r-xr-xr-x   1 mj2      listserver   22660 Aug 25 23:23 .mj_wwwusr
>-r-s--s--x   1 mj2      listserver   36692 Aug 25 23:23 mj_confirm
>-r-s--s--x   1 mj2      listserver   36680 Aug 25 23:23 mj_email
>-r-s--s--x   1 mj2      listserver   36692 Aug 25 23:23 mj_enqueue
>-r-xr-xr-x   1 mj2      listserver   21850 Aug 25 23:23 mj_queuerun
>-r-xr-xr-x   1 mj2      listserver    7578 Aug 25 23:23 mj_queueserv
>-r-s--s--x   1 mj2      listserver   36680 Aug 25 23:23 mj_shell
>-r-s--s--x   1 mj2      listserver   36696 Aug 25 23:23 mj_shutdown
>-r-xr-xr-x   1 mj2      listserver    4058 Aug 25 23:23 mj_trigger
>-r-s--s--x   1 mj2      listserver   36692 Aug 25 23:23 mj_wwwadm
>-r-s--s--x   1 mj2      listserver   36692 Aug 25 23:23 mj_wwwusr

SECOND PROBLEM? A couple of entries in the bin directory are not
wrappers? Are mj_queuerun and mj_queueserv so safe they don't
need wrappers, or is this just an oversight?

It took me a bit to find the wrappers directory, but here's mj_shell.c :
>main(ac, av)
>     char **av;
>{
>   execv("/home/mj2/bin/.mj_shell", av);
>}

THIRD PROBLEM: I didn't find the compile command line, but I don't think
the binary is stripped or that there is any checking of the environment
variables. I've been handed a wrapper.c, which my sysadmin says is based
on the original Majordomo, that has a bunch of sanity and security checking
before it calls "execve(prog, argv, new_env);" - but I'll spare you all the
boring details for now. Can anyone comment on safe environments for Mj2?
Can't I just set a malicious environment that replaces shared library paths
and all that, then write a little perl script that calls the wrappers to
become mj2 and fiddle about?

FOURTH PROBLEM: Really a question: Since I finished the install NOT EVER
BEING ROOT, and since the wrappers supposedly do a setuid, does this mean
that using "su" to become the server process ID is safer than using "su"
to become root for the installation? Obviously the mail daemon needs to
have access to the files, but only to run the wrappers, right? From then
on, Mj2 just reads and writes to directories that it owns, no? So why does
the install procedure suggest being root? Is that safe?


SRE

mailto:eckert@climber.org | http://www.climber.org/eckert/
Info on peak climbing email lists mailto:info@climber.org

Before email, five carbon copies were the maximum extension of anybody's ego.




Follow-Ups:
Indexed By Date Previous: Re: Fwd: Mj2 Installation
From: Sudhakar Chandra <thaths@netscape.com>
Next: V2 where is it?
From: geoff.cox@cableinet.co.uk
Indexed By Thread Previous: Re: Fwd: Re: Fwd: Mj2 Installation
From: SRE <eckert@climber.org>
Next: Re: setuid wrappers are insecure?
From: Jason L Tibbitts III <tibbs@math.uh.edu>

Google
 
Search Internet Search www.greatcircle.com