vpnc && setuid

Fri Nov 13 08:27:34 UTC 2015

El día Thursday, November 12, 2015 a las 03:30:26PM +0100, Trond Endrestøl escribió:

> > What is so magic with /usr/local/sbin/vpnc that it does not run with
> > setuid?
> 
> Maybe vpnc calls setuid(2) and changes the effective uid to the real 
> uid before reading the configuration file. Inspecting the source code 
> or running ktrace should verify or falsify my assumption.

I managed to run vpnc as normal user with an attached ktrace as root (I
modified the source of vpnc to insert a sleep to be able to attach
ktrace as root from another terminal); it turns out that vpnc drops the
privs:

 ...
 31019 vpnc     NAMI  "/etc/gcrypt/fips_enabled"
 31019 vpnc     RET   access -1 errno 2 No such file or directory
 31019 vpnc     CALL  open(0x280face4,0<O_RDONLY>,<unused>0x1b6)
 31019 vpnc     NAMI  "/proc/sys/crypto/fips_enabled"
 31019 vpnc     RET   open -1 errno 2 No such file or directory
 31019 vpnc     CALL  open(0x280fa9a8,0<O_RDONLY>,<unused>0x1b6)
 31019 vpnc     NAMI  "/etc/gcrypt/hwf.deny"
 31019 vpnc     RET   open -1 errno 2 No such file or directory
 31019 vpnc     CALL  __sysctl(0xbfbfde1c,0x2,0xbfbfde18,0xbfbfde24,0,0)
 31019 vpnc     SCTL  "p1003_1b.pagesize"
 31019 vpnc     RET   __sysctl 0
 31019 vpnc     CALL  mmap(0,0x4000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,0xffffffff,0,0)
 31019 vpnc     RET   mmap 671645696/0x28088000
 31019 vpnc     CALL  getuid
 31019 vpnc     RET   getuid 1001/0x3e9
 31019 vpnc     CALL  mlock(0x28088000,0x4000)
 31019 vpnc     RET   mlock 0
 31019 vpnc     CALL  geteuid
 31019 vpnc     RET   geteuid 0
 31019 vpnc     CALL  setuid(0x3e9)
 31019 vpnc     RET   setuid 0
 31019 vpnc     CALL  getuid
 31019 vpnc     RET   getuid 1001/0x3e9
 31019 vpnc     CALL  geteuid
 31019 vpnc     RET   geteuid 1001/0x3e9
 31019 vpnc     CALL  setuid(0)
 31019 vpnc     RET   setuid -1 errno 1 Operation not permitted
 ...

The calls *uid() are not in the source tree of vpnc itself, they must be
invoked from some used infrastructure libs. 

I will not further debug this as the TODO of vpnc itself says:

...
* optional drop root (rekey? reconnect? vpnc-script calls?)
  - Don't drop privileges, ever, but allow to be run suid.
  - If euid != ruid, clear out env on program start.
  - Sanitize variables for vpnc-script (snarf code from
    callscript.c from dhcpclient).
  - If euid != ruid, disable command line options (but not the profile
    parameter).
  - If euid != ruid, treat profiles as filenames only. They must not
    be paths, i.e. contain PATHSEP. Read them relative to /etc/vpnc.
  - Make sure vpnc-disconnect only kills processes owned by same user.
...

Thx

	matthias

-- 
Matthias Apitz, ✉ guru at unixarea.de, 🌐 http://www.unixarea.de/  ☎ +49-176-38902045