From owner-freebsd-questions@freebsd.org Fri Nov 13 08:27:34 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28A41A2B165 for ; Fri, 13 Nov 2015 08:27:34 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D56891765 for ; Fri, 13 Nov 2015 08:27:33 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from [89.204.135.34] (helo=localhost.unixarea.de) by ms-10.1blu.de with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1Zx9hg-0004Bg-Jx; Fri, 13 Nov 2015 09:27:29 +0100 Received: from localhost.my.domain (c720-r276659 [127.0.0.1]) by localhost.unixarea.de (8.14.9/8.14.9) with ESMTP id tAD8RODi002131 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 13 Nov 2015 09:27:24 +0100 (CET) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by localhost.my.domain (8.14.9/8.14.9/Submit) id tAD8RLCv002130; Fri, 13 Nov 2015 09:27:21 +0100 (CET) (envelope-from guru@unixarea.de) X-Authentication-Warning: localhost.my.domain: guru set sender to guru@unixarea.de using -f Date: Fri, 13 Nov 2015 09:27:21 +0100 From: Matthias Apitz To: Trond =?utf-8?Q?Endrest=C3=B8l?= Cc: FreeBSD Questions , Maurice Massar Subject: Re: vpnc && setuid Message-ID: <20151113082721.GA2056@c720-r276659> Reply-To: Matthias Apitz Mail-Followup-To: Matthias Apitz , Trond =?utf-8?Q?Endrest=C3=B8l?= , FreeBSD Questions , Maurice Massar References: <20151112093622.GA3261@c720-r276659> <20151112101333.GA3606@c720-r276659> <20151112120549.GA3983@c720-r276659> <20151112134447.GA4418@c720-r276659> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Operating-System: FreeBSD 11.0-CURRENT r269739 (i386) User-Agent: Mutt/1.5.23 (2014-03-12) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 89.204.135.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 08:27:34 -0000 El día Thursday, November 12, 2015 a las 03:30:26PM +0100, Trond Endrestøl escribió: > > What is so magic with /usr/local/sbin/vpnc that it does not run with > > setuid? > > Maybe vpnc calls setuid(2) and changes the effective uid to the real > uid before reading the configuration file. Inspecting the source code > or running ktrace should verify or falsify my assumption. I managed to run vpnc as normal user with an attached ktrace as root (I modified the source of vpnc to insert a sleep to be able to attach ktrace as root from another terminal); it turns out that vpnc drops the privs: ... 31019 vpnc NAMI "/etc/gcrypt/fips_enabled" 31019 vpnc RET access -1 errno 2 No such file or directory 31019 vpnc CALL open(0x280face4,0,0x1b6) 31019 vpnc NAMI "/proc/sys/crypto/fips_enabled" 31019 vpnc RET open -1 errno 2 No such file or directory 31019 vpnc CALL open(0x280fa9a8,0,0x1b6) 31019 vpnc NAMI "/etc/gcrypt/hwf.deny" 31019 vpnc RET open -1 errno 2 No such file or directory 31019 vpnc CALL __sysctl(0xbfbfde1c,0x2,0xbfbfde18,0xbfbfde24,0,0) 31019 vpnc SCTL "p1003_1b.pagesize" 31019 vpnc RET __sysctl 0 31019 vpnc CALL mmap(0,0x4000,0x3,0x1002,0xffffffff,0,0) 31019 vpnc RET mmap 671645696/0x28088000 31019 vpnc CALL getuid 31019 vpnc RET getuid 1001/0x3e9 31019 vpnc CALL mlock(0x28088000,0x4000) 31019 vpnc RET mlock 0 31019 vpnc CALL geteuid 31019 vpnc RET geteuid 0 31019 vpnc CALL setuid(0x3e9) 31019 vpnc RET setuid 0 31019 vpnc CALL getuid 31019 vpnc RET getuid 1001/0x3e9 31019 vpnc CALL geteuid 31019 vpnc RET geteuid 1001/0x3e9 31019 vpnc CALL setuid(0) 31019 vpnc RET setuid -1 errno 1 Operation not permitted ... The calls *uid() are not in the source tree of vpnc itself, they must be invoked from some used infrastructure libs. I will not further debug this as the TODO of vpnc itself says: ... * optional drop root (rekey? reconnect? vpnc-script calls?) - Don't drop privileges, ever, but allow to be run suid. - If euid != ruid, clear out env on program start. - Sanitize variables for vpnc-script (snarf code from callscript.c from dhcpclient). - If euid != ruid, disable command line options (but not the profile parameter). - If euid != ruid, treat profiles as filenames only. They must not be paths, i.e. contain PATHSEP. Read them relative to /etc/vpnc. - Make sure vpnc-disconnect only kills processes owned by same user. ... Thx matthias -- Matthias Apitz, ✉ guru@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045