Date: Thu, 12 Nov 2015 14:44:47 +0100 From: Matthias Apitz <guru@unixarea.de> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: vpnc && setuid Message-ID: <20151112134447.GA4418@c720-r276659> In-Reply-To: <20151112120549.GA3983@c720-r276659> References: <20151112093622.GA3261@c720-r276659> <CALfReydC1JD1LNUHHPev=q7WA98b52mootDngOQmEtXTUKkWYA@mail.gmail.com> <20151112101333.GA3606@c720-r276659> <CALfReydZkhuAjqphEsBkn%2B%2BzV1emBj5VUjfSpe%2BDyOr=mmZdDw@mail.gmail.com> <20151112120549.GA3983@c720-r276659>
next in thread | previous in thread | raw e-mail | index | archive | help
El día Thursday, November 12, 2015 a las 01:05:49PM +0100, Matthias Apitz escribió: > El día Thursday, November 12, 2015 a las 10:19:38AM +0000, krad escribió: > > > Looks like you need to 640 or 644 it. > > Why? The /usr/local/sbin/vpnc is set to: > > # ls -l /usr/local/sbin/vpnc > -rwsr-xr-x 1 root wheel 105092 10 nov 20:12 /usr/local/sbin/vpnc > > and the proc should run with euid=0, i.e. as root, but does not do this > and the question is, why? I wrote a small C-pgm: #define _GNU_SOURCE #include <sys/types.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #define call(fun) errno = 0; fun; perror(#fun) int main(int argc, char **argv) { FILE *fp; uid_t ruid = -1, euid = -1, suid = -1; getresuid(&ruid, &euid, &suid); printf("> ruid=%d, euid=%d, suid=%d\n", ruid, euid, suid); fp = fopen("/usr/local/etc/vpnc.conf", "r"); if( fp != NULL ) { printf("file /usr/local/etc/vpnc.conf opened\n"); fclose(fp); } call(setuid(1000)); getresuid(&ruid, &euid, &suid); printf("> ruid=%d, euid=%d, suid=%d\n", ruid, euid, suid); return 0; } # cc set.c # strip a.out # chmod 6711 a.out # ls -l /usr/local/sbin/vpnc a.out -rws--s--x 1 root wheel 105092 10 nov 20:12 /usr/local/sbin/vpnc -rws--s--x 1 root wheel 4340 12 nov 14:41 a.out When I run this as normal user, it works as expected: $ ./a.out > ruid=1001, euid=0, suid=0 file /usr/local/etc/vpnc.conf opened setuid(1000): No error: 0 > ruid=1000, euid=1000, suid=1000 What is so magic with /usr/local/sbin/vpnc? -- Matthias Apitz, ✉ guru@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151112134447.GA4418>