happenings last night
Auke Kok
auke.kok at planet.nl
Thu Feb 13 01:01:13 GMT 2003
sorry for the lengthy text, but please read along if you were not there:
===============
(23:51:17) csm: so what do you think about attacking lget first?
(23:51:32) sofar: reason why we're here: major security revision for
lget, lin lrm
(23:51:38) csm: we certainly do NOT need priv's to download software
(23:51:46) sofar: we need non-root downloads
(23:51:50) sofar: non-root compiles
(23:52:03) sofar: lget is relatively easy
(23:52:06) sofar: I think
(23:52:21) sofar: for this we need
(23:52:41) sofar: a var/lock/lunar that is owned by user 'lunar'
(23:52:47) csm: good
(23:52:51) sofar: I'm just keeping the 'lunar' scheme here
(23:52:55) csm: good
(23:53:01) hardkrash: back
(23:53:38) csm: question sofar...
(23:53:39) niki [~hohoho at 50C58A49.flatrate.dk] entered the room.
(23:53:39) niki is now known as +niki
(23:53:58) csm: in the internal core when you lin a module does it call
lget to do that bit of work?
(23:54:22) sofar: yes
(23:54:31) sofar: that's why cvs downloads twice actually
(23:54:37) sofar: ;^)
(23:54:39) csm: so what would happen if the lget executable was setuid
lunar?
(23:54:44) sofar: eep!
(23:54:49) sofar: not necessary!
(23:54:53) csm: okay
(23:55:09) sofar: well yeah sudo or whatever is enough
(23:55:24) csm: what would be the harm if it was?
(23:55:39) sofar: possible abuse of strings, local root holes etc
(23:55:48) sofar: ;^)
(23:55:53) csm: setuid lunar though... NOT privileged
(23:55:56) hardkrash: sudo why use sudo?
(23:56:08) sofar: I meant su -
(23:56:11) sofar: not sudo
(23:56:22) hardkrash: ok
(23:56:22) sofar: read along
(23:56:27) sofar: vi lget
(23:56:32) sofar: main ()
(23:57:06) sofar: if [ $UID != 0 ] ; then su - lunar lget $@ ; else #go
on ; fi
(23:57:28) sofar: right?
(23:57:42) sofar: lget becomes its own wrapper
(23:57:42) niki: Evening all
(23:57:44) csm: wait... even if it's root i would want it to switch to
lunar
(23:57:55) sofar: erm
(23:57:57) niki: so you are planing a seperation user ?
(23:57:58) sofar: oops
(23:58:04) sofar: the other way round of course!
(23:58:05) sofar: hehehe
(23:58:10) csm: he-he!
(23:58:17) sofar: yup
(23:58:30) sofar: dropping privs by going to a normal user
(23:58:40) csm: how about the lunar user is uid=99 (just for example)
and the code looks like this:
(23:58:50) csm: if [ $UID != 99 ] ; then su - lunar lget $@ ; else #go
on ; fi
(23:59:34) csm: that way it just doesn;t matter who you are it drops
privs to do it's work
(23:59:43) hardkrash: lget should be able to run as a non root user
(23:59:44) sofar: echo "LUSERID=99"
(23:59:48) sofar: ;^)
(00:00:06) sofar: echo "LUSERNAME=lunar" >> /etc/lunar/config
(00:00:13) csm: yeah or even a function which nabs the uid for lunar out
of /etc/passwd in case some numby changes the default
(00:00:50) niki: What about using this info for the test:
(00:00:55) csm: lemme get into X... brb
(00:00:56) niki: nikgul at ng0101-lap ~ $ id
(00:00:56) niki: uid=500(nikgul) gid=554(nikgul)
groups=554(nikgul),29(audio),100(users)
(00:00:57) @csm left the room ("all your anthrax are belong to us").
(00:01:23) sofar: groups=99(lunar),554(nikgul),29(audio),100(users)
(00:01:26) sofar: yes
(00:01:29) sofar: possibly
(00:01:30) niki: there you have the uid, couldn't that be used ?
(00:01:53) csm [~csm at rdu74-169-059.nc.rr.com] entered the room.
(00:01:53) csm is now known as @csm
(00:02:03) sofar: id is fine
(00:02:05) hardkrash: niki $echo $UID
(00:02:13) hardkrash: niki #echo $UID
(00:02:16) niki: id | cut -d "=" -f 1 | cut -d "(" -f 1 ?
(00:02:17) sofar: but bash provides it himself and should be preferred
(00:02:25) sofar: id -u
(00:02:32) niki: lol
(00:02:56) csm: so long as lget drops privs if you;re root or su's to
lunar to run I would be happy
(00:02:57) niki: Yeah, hadn't looked at the id options yet ;o)
(00:03:32) sofar: well we have an issue here
(00:03:42) hardkrash: whats that
(00:03:44) sofar: 1) dropping down to user lunar - no problem
(00:03:46) hardkrash: ass when we su
(00:03:49) hardkrash: a password?
(00:03:55) csm: brb
(00:03:57) @csm left the room (Client Quit).
(00:04:06) sofar: 2) niki typing 'lget' and lget raising his privs to
'lunar' - big problem
(00:04:13) csm [~csm at rdu74-169-059.nc.rr.com] entered the room.
(00:04:14) csm is now known as @csm
(00:04:23) hardkrash: a lunar group
(00:04:26) sofar: (00:04:06) sofar: 2) niki typing 'lget' and lget
raising his privs to 'lunar' - big problem
(00:04:26) csm: okay i should be done gyrating for a while
(00:04:45) niki: sofar: Don't matter for me, i have root access anyway
;op
(00:05:07) sofar: well it's a whole different game and I think we should
AVOID it (2)
(00:05:15) csm: you know what... if you had to be root to call lget that
would be fine with me... it's who it runs as that's the problem!
(00:05:15) niki: Only root should be able to su
(00:05:20) sofar: sudo exists for that
(00:05:36) sofar: yup
(00:05:45) sofar: well it makes our lives a bit easier
(00:05:55) csm: so doing it that way is fine with me
(00:06:06) niki: Anyway, why should a user be interrested in running
lget ??
(00:06:18) sofar: good point
(00:06:22) hardkrash: humm
(00:06:27) sofar: it's been asked more than once!
(00:06:40) csm: just the convenience of using the lunar tool to nab the
latest version if he/she wants to poke around in the source
(00:06:45) sofar: because it's better not to run lget as root
(00:06:58) hardkrash: i shouldent have to be root to downloadd the
source files
(00:07:00) sofar: *unless* we drop privs in lget
(00:07:07) csm: right but in this scenario we won;t be right?
(00:07:08) niki: csm: Then they can grap the url from lvu DETAILS
<Module>
(00:07:29) sofar: yeah yeah yeah
(00:07:37) csm: niki sure... i am not advocating it... i am just saying
the biggest reason they want it
(00:07:41) sofar: lvu website curl | xargs w3m
(00:07:47) niki: Ahh...
(00:08:08) hardkrash: so <M"LK;
(00:08:08) hardkrash: '[/
(00:08:24) hardkrash: sorry
(00:08:35) hardkrash: 3 your old cousin typing for me
(00:09:07) sofar: hahaha
(00:09:08) csm: he-he
(00:09:12) sofar: good
(00:09:15) csm: likely excuse!
(00:09:16) sofar: start early!!!!
(00:09:22) niki: What about using "lvu source <Module>" to just output
the url for the module source, then they can use that
(00:09:35) sofar: url
(00:09:45) csm: okay so we need to implement the lunar user elsewhere
and he needs to be core from now on...
(00:09:54) sofar: functions
(00:09:57) csm: we need to set perms on lock and tmp for him
(00:09:59) niki: wget $(lvu source <Module>) ?
(00:10:13) sofar: hence var/lock/lunar
(00:10:15) csm: what else?
(00:10:30) hardkrash: /var/spool/lunar
(00:10:43) sofar: that one already exists
(00:11:02) csm: yeah but the perms have to change right?
(00:11:03) sofar: root can also move the source to /var/spool/lunar
(00:11:20) csm: yeah that's true
(00:11:26) hardkrash: good point
(00:11:31) niki: what about letting lget <Module> save the module source
in the users home dir, maybe under a lunar subdir ?
(00:11:34) sofar: but gid=lunar is better
(00:11:46) csm: yes...
(00:11:50) hardkrash: i like that
(00:11:53) hardkrash: a lunar group
(00:11:58) sofar: lunar:lunar
(00:12:55) csm: yes... uid:gid lunar is perfect
(00:13:05) ***sofar nods
(00:13:50) csm: once we achieve the perms in the lget script we simply
need to make sure all the dirs have the right perms and we're done with
this
(00:14:05) csm: this should not be very painful at all
(00:14:15) hardkrash: true
(00:14:19) sofar: cvs/theedge/install
(00:14:33) sofar: ^^ the place to do uid/gid/chmod stuff
(00:14:33) csm: yes
(00:14:58) csm: it will have to go into lunar too
(00:15:07) csm: no choice
(00:15:20) sofar: first theedge
(00:15:26) csm: if we change the install the first time a user installs
from it lunar is not compatible we're toast
(00:16:04) csm: s/it lunar/it if lunar/
(00:16:35) sofar: that is why cvs/theedge/install is the place to fix
those permissions
(00:16:39) hardkrash: clarify
(00:16:52) sofar: it will make upgrades and people moving to theedge
happy
(00:17:14) sofar: going back to lunar is no problem for now
(00:17:23) sofar: hence we can work on it in theedge
(00:17:29) sofar: until we're happy
(00:17:56) niki: as allways ;o)
(00:21:06) csm: alright well how long do you think it will take to write
the new functions so we can start testing?
(00:22:33) sofar: ick!
(00:22:56) csm: ick he says... geez!
(00:23:39) sofar: geez I don't know
(00:23:53) sofar: big problem is locking right now
(00:24:00) sofar: locks are made everywhere
(00:24:10) sofar: we need to revise that part badly
(00:24:19) csm: so we'll have to start making them in /var/locl/lunar ?
(00:24:28) csm: s/locl/lock/
(00:24:29) sofar: yes
(00:24:39) sofar: I think that would solve a lot of problem
(00:24:40) sofar: s
(00:24:42) csm: do we have a locking function?
(00:24:46) sofar: one
(00:24:54) csm: is that the only one we use?
(00:24:55) sofar: lget is using it's own locking (ouch)
(00:24:57) hardkrash: where
(00:25:03) hardkrash: sec brb
(00:25:04) csm: or are there some stand-alone;s
(00:25:57) tchan: And how will all of this ^^^^ take care of the problem
of running lin as root ?
(00:27:50) csm: it's just the first step
(00:30:04) csm: after this we will have to start figuring out how to
drop privs for all but make install
(00:30:40) csm: brb
(00:32:43) hardkrash: back
(00:33:12) hardkrash: hunting down a 4 year old
(00:33:15) hardkrash: ahhhhhhhhhh
(00:33:29) sofar: wow, it got a year older in 15 minutes?
(00:33:35) hardkrash: no
(00:33:43) hardkrash: different kid
(00:33:44) sofar: *g* two kids
(00:34:02) hardkrash: yea two
(00:39:43) csm: back but i gotta do dinner now
(00:39:49) hardkrash: lol
(00:39:54) tchan: while a few devs are here, I just thought I'd mention
that the static/dynamic tar issue is still bugging us. I just had to
recompile uClibc with gcc-3.2.2 and it failed because my tar,bzip2, and
gzip were dynamic.
(00:41:10) hardkrash: why dont we have a tar,bzip,gzip
(00:41:14) csm: i thought we solved that problem already!
(00:41:21) hardkrash: have a static build
(00:41:26) hardkrash: for recovery
(00:43:30) tchan: That is how I solved my problem. I overwrote my lunar
box with the static versions of tar,bzip2,gzip from the 1.2 iso and then
uClibc compiled successfully.
(00:44:14) hardkrash: so we should make a recovery package
(00:44:39) hardkrash: ltarballrecover
(00:45:26) hardkrash: that would copy the files to the properlocation
(00:45:41) tchan: I guess average lunar users won't even see the problem
of dynamic vs static binaries because most aren't involved in compiling
or using alternate libc's.
(00:46:13) hardkrash: :-P
(00:47:30) tchan: okay, I'll let everyone get back to brain-storming
about permissions for lget, lunar, and lrm. :-)
(00:47:42) hardkrash: :-P
(00:48:18) tchan: I'm off to dinner as well, but I'll read back through
the scroll buffer later tonight....
(00:49:36) hardkrash: ok
===============
--
Auke Kok <auke.kok at planet.nl>
More information about the Lunar-dev
mailing list