$SAFE=0 for setuid?
in [Ruby]
|
From: Rick Ashton on 6 Apr 2010 04:21 Robert Klemme wrote: > > Write a wrapper script with setuid. You can even do such unsafe things > as > > #!/bin/sh -f > "$@" > Yeah I did try this already as: #!/usr/bin/env sh ruby script.rb but no dice it still gives me safe level 1 on start :( I'm guessing the child processes inherit the flag? > Setuid can be detected by the Ruby interpreter because it is a property > of the script executed. sudo is just a process that changes the > environment in which the Ruby interpreter is started. This is > significantly more difficult to detect since sudo is gone once the > interpreter runs Ah ok thanks, that makes sense :) However I was asking more about the reasons for the design / philosophy rather than why it practically doesn't work with sudo. According to what you say then, sudo works not because it's by design (due to it being safer for some reason) but because there's no way to catch a sudo? But this means that by design, there should be no way that libraries like pcap should be able to function (since they need to be run as root and need SAFE=0), and that the only reason they do work is because Ruby can't detect when they do run with escalated privs in the case of sudo? This means that by design the only way to use the pcap library is to log in as root without escalating the current user's privileges? This however isn't even possible in many linux distros like Ubuntu, as well as in Mac OS X, since the root account is disabled and users should only do root stuff through sudo. If that's the case, it seems like it's all a bit wrong to me, or am I understanding something wrong? -- Posted via http://www.ruby-forum.com/.
From: Brian Candler on 6 Apr 2010 04:42 Rick Ashton wrote: > This means that by design the only way to use the pcap library is to log > in as root without escalating the current user's privileges? This > however isn't even possible in many linux distros like Ubuntu sudo works fine in Ubuntu. Even if you run from the live CD, you can do "sudo bash" to get a root shell. However, the reason for $SAFE=1 is that setuid *scripts* are very dangerous. If you want the full reasons, read http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html This talks about shell scripts, but the same issues apply to setuid ruby scripts. Escalating to root properly, using su or sudo or even a setuid C wrapper program, makes some of the awkward problems disappear. Of course, you still have the dangers of running a program as root which has to be very careful about validating all its inputs etc, but that's a separate and more obvious issue. -- Posted via http://www.ruby-forum.com/.
From: Rick Ashton on 6 Apr 2010 04:58 Brian Candler wrote: > sudo works fine in Ubuntu. Even if you run from the live CD, you can do > "sudo bash" to get a root shell. > That's what I'm saying. You need to escalate the current user's privs using sudo. You can't have root privs without escalation (ie. log in as root) in Ubuntu or OS X since the root account is disabled as it uses the sudo paradigm. However, unlike Robert, what you're saying is that it's specifically setuid that's problematic, not the privilege escalation itself, and it's the setuid issues that are the reason to have safe level set to 1 rather than the privilege escalation. That makes sense. Regardless, there isn't then a good workaround for what I need? :/ -- Posted via http://www.ruby-forum.com/.
From: Robert Klemme on 6 Apr 2010 05:02 2010/4/6 Rick Ashton <expiation(a)devils.com>: > Robert Klemme wrote: >> >> Write a wrapper script with setuid. You can even do such unsafe things >> as >> >> #!/bin/sh -f >> "$@" Btw, that should have read #!/bin/sh -f exec "$@" It's more efficient. > Yeah I did try this already as: > #!/usr/bin/env sh > ruby script.rb Rather state the path to ruby explicitly. Otherwise you'll introduce another security hole. > but no dice it still gives me safe level 1 on start :( I'm guessing the > child processes inherit the flag? Did you remove the setuid flag from the Ruby script before you tested this approach? Cheers robert -- remember.guy do |as, often| as.you_can - without end http://blog.rubybestpractices.com/
From: Rick Ashton on 6 Apr 2010 05:07 > Did you remove the setuid flag from the Ruby script before you tested > this approach? > Well there's nothing in the actual ruby script that does setuid. I was assuming this is a flag on the process that then gets inherited from the parent process? Is there a way to start the the ruby script then that explicitly tells it to not have setuid? But does this then also mean it doesn't get root privs (which it needs)? -- Posted via http://www.ruby-forum.com/.
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: openCV and ruby Next: [ANN] April Phoenix Ruby User Group Meeting |