Bug 28333
| Summary: | rtprio/idprio setuid problems | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | huntting | ||||
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | Unspecified | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
|
Description
huntting
2001-06-22 05:50:00 UTC
On Thu, Jun 21, 2001 at 10:41:03PM -0600, Brad Huntting wrote: > On some (but by no means all) systems it is desireable to > allow non-root users the ability to start realtime processes. The same can be same about almost any program which requires superuser privileges, not just rtprio/idprio. > The obvious way to allow this is to "chmod u+s /usr/sbin/rtprio". > Unfortunatly, this causes all programs started with rtprio > (and idprio) to run as root. The included patch adds a > line to reset the euid before exec()ing the program. > > Note: I am NOT advocating that rtprio should be installed > setuid-root by default! However, if the sysadmin wants to > allow non-root users this privledge, then making a setuid-root > program (perhaps executable by only one group) is the "unix > way". No, the UNIX way is to use something a tool like sudo (in the ports collection) which lets the admin manage which users get to execute which commands with privilege. Adding uid-management code to all sorts of non-privileged binaries just in case someone misguidedly makes it setuid is the wrong solution. Kris >> On some (but by no means all) systems it is desireable to >> allow non-root users the ability to start realtime processes. > The same can be same about almost any program which requires superuser > privileges, not just rtprio/idprio. >> The obvious way to allow this is to "chmod u+s /usr/sbin/rtprio". >> Unfortunatly, this causes all programs started with rtprio >> (and idprio) to run as root. The included patch adds a >> line to reset the euid before exec()ing the program. >>=20 >> Note: I am NOT advocating that rtprio should be installed >> setuid-root by default! However, if the sysadmin wants to >> allow non-root users this privledge, then making a setuid-root >> program (perhaps executable by only one group) is the "unix >> way". > No, the UNIX way is to use something a tool like sudo (in the ports > collection) which lets the admin manage which users get to execute > which commands with privilege. Adding uid-management code to all > sorts of non-privileged binaries just in case someone misguidedly > makes it setuid is the wrong solution. Granted, for programs like renice, chown, etc, sudo is ideal. But chroot, {id,rt}prio, and nice are different because, not only do they perform a prevledged operation, they exec() a new program afterward. A sudo like wrapper for these would need to grok the command line semantics of each utilities to be a viable alternative. Even then, it would be a security risk, unless it provided some mechanism to insure that the command line semantics of nice (et al) stay in sync with this sudo-like program. And once you've gone to all that trouble you might has well just make a special setuid version of nice (et al) that does uid management and is runable by ordinary users. Once you've done that, you might as well call it "nice" (etc), because everyone already understands how "nice" works. Or did you have some other idea for a sudo like tool. thanx, brad On Sun, Jul 08, 2001 at 05:06:29PM -0600, Brad Huntting wrote:
> > No, the UNIX way is to use something a tool like sudo (in the ports
> > collection) which lets the admin manage which users get to execute
> > which commands with privilege. Adding uid-management code to all
> > sorts of non-privileged binaries just in case someone misguidedly
> > makes it setuid is the wrong solution.
>
> Granted, for programs like renice, chown, etc, sudo is ideal. But
> chroot, {id,rt}prio, and nice are different because, not only do
> they perform a prevledged operation, they exec() a new program
> afterward.
>
> A sudo like wrapper for these would need to grok the command line
> semantics of each utilities to be a viable alternative. Even then,
> it would be a security risk, unless it provided some mechanism to
> insure that the command line semantics of nice (et al) stay in sync
> with this sudo-like program. And once you've gone to all that
> trouble you might has well just make a special setuid version of
> nice (et al) that does uid management and is runable by ordinary
> users. Once you've done that, you might as well call it "nice"
> (etc), because everyone already understands how "nice" works.
>
> Or did you have some other idea for a sudo like tool.
Have you positively determined that sudo or another such existing tool
can't be used to do what you want?
Kris
> Have you positively determined that sudo or another such existing tool
> can't be used to do what you want?
After looking around, I think POSIX1e Capabilities are probably
the best solution to this problem. It comes with alot of security
bagage, but it's probably the "right" way to solve which is
essentially a fine-grain security issue.
thanx,
brad
State Changed From-To: open->closed Looks like there's agreement this can be solved better than by proposed patch |
