FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 10-05-2008, 09:01 PM
Erik Hahn
 
Default start-stop-daemon sets USER=root - expected behaviour?

On Sun, Oct 05, 2008 at 08:54:25PM +0200, Jil Larner wrote:
> You may wish to specify the --user parameter. As this tool is for system
> daemons (therefore located in /sbin), it seems obvious it starts daemons
> as root by default. I checked on my system and I don't have a setuid bit
> on this program, no more it starts any program when my wheel user
> executes the command. I've no error code, but no process is spawned.

It doesn't run the command as root but as normal user (it isn't setuid
either. All it does is setting the *variables* $USER and $HOME to the
wrong values.

> If your non root user escalates privileges and is able to spawn a root
> process, *and* there is no setuid bit on /sbin/start-stop-daemon, you
> may fill a bug, if you have a procedure to reproduce it Honestly, as
> it is a quite old debian tool, I don't think it's buggy

This implementation is not by Debian:

> This is a complete re-implementation with the process finding code in
> the OpenRC library (librc, -lrc) so other programs can make use of it.

-Erik

--
hackerkey://v4sw5hw2ln3pr5ck0ma2u7LwXm4l7Gi2e2t4b7Ken4/7a16s0r1p-5.62/-6.56g5OR
 
Old 10-06-2008, 06:41 AM
Jil Larner
 
Default start-stop-daemon sets USER=root - expected behaviour?

Hi,

Erik Hahn a écrit :
> It doesn't run the command as root but as normal user (it isn't setuid
> either. All it does is setting the *variables* $USER and $HOME to the
> wrong values.
>
Oh, I read too quickly :x And by the way didn't give the right command
switch that are --chuid --user and --env. These should give you the
result you wish. Should the program automatically set correct home and
user ? I'd say this could be great, so you may report it as a bug or,
more pobably, as a feature request.


> This implementation is not by Debian:
>
>> This is a complete re-implementation with the process finding code in
>> the OpenRC library (librc, -lrc) so other programs can make use of it.

I didn't know. Where did you find this ?

Thanks,
Jil
 
Old 10-06-2008, 11:43 AM
Erik Hahn
 
Default start-stop-daemon sets USER=root - expected behaviour?

On Mon, Oct 06, 2008 at 08:41:58AM +0200, Jil Larner wrote:
> Hi,
>
> Erik Hahn a écrit :
> > It doesn't run the command as root but as normal user (it isn't setuid
> > either. All it does is setting the *variables* $USER and $HOME to the
> > wrong values.
> >
> Oh, I read too quickly :x And by the way didn't give the right command
> switch that are --chuid --user and --env. These should give you the
> result you wish. Should the program automatically set correct home and
> user ? I'd say this could be great, so you may report it as a bug or,
> more pobably, as a feature request.

No, it simply shouldn't change them, there's no reason to do that (to my
knowledge).

> > This implementation is not by Debian:
> >
> >> This is a complete re-implementation with the process finding code in
> >> the OpenRC library (librc, -lrc) so other programs can make use of it.
>
> I didn't know. Where did you find this ?

Man page.

-Erik

--
hackerkey://v4sw5hw2ln3pr5ck0ma2u7LwXm4l7Gi2e2t4b7Ken4/7a16s0r1p-5.62/-6.56g5OR
 
Old 10-06-2008, 06:21 PM
Erik Hahn
 
Default start-stop-daemon sets USER=root - expected behaviour?

On Mon, Oct 06, 2008 at 02:27:11PM +0200, Daniel Pielmeier wrote:
> 2008/10/6 Erik Hahn <erik_hahn@gmx.de>:
> > No, it simply shouldn't change them, there's no reason to do that (to my
> > knowledge).
>
> I think it is a big security issue if a normal user could start
> arbitrary daemons with root privileges. So you should file a bug at

It doesn't give anyone root privileges, it only sets wrong variables.

> I think only root should be able to execute start-stop-daemon and the
> user should be changed with the proper command line switches. I
> actually don't know if it is --chuid or --user as this has changed
> between old baselayout and new openrc.

Why's that? Running a program with user privileges is no security
problem at all.

-Erik

--
hackerkey://v4sw5hw2ln3pr5ck0ma2u7LwXm4l7Gi2e2t4b7Ken4/7a16s0r1p-5.62/-6.56g5OR
 
Old 10-06-2008, 07:09 PM
Daniel Pielmeier
 
Default start-stop-daemon sets USER=root - expected behaviour?

Erik Hahn schrieb am 06.10.2008 20:21:
> On Mon, Oct 06, 2008 at 02:27:11PM +0200, Daniel Pielmeier wrote:
>> 2008/10/6 Erik Hahn <erik_hahn@gmx.de>:
>>> No, it simply shouldn't change them, there's no reason to do that (to my
>>> knowledge).
>> I think it is a big security issue if a normal user could start
>> arbitrary daemons with root privileges. So you should file a bug at
>
> It doesn't give anyone root privileges, it only sets wrong variables.
>
>> I think only root should be able to execute start-stop-daemon and the
>> user should be changed with the proper command line switches. I
>> actually don't know if it is --chuid or --user as this has changed
>> between old baselayout and new openrc.
>
> Why's that? Running a program with user privileges is no security
> problem at all.

I got the intention the program is started with root privileges when
using start-stop-daemon.

Nevertheless I can reproduce your problem with the wrong variables. I
think it should set the variables appropriate for the user running
start-stop-daemon. So you should file a bug report about that.

Regards,

Daniel
 

Thread Tools




All times are GMT. The time now is 04:43 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org