[OpenIndiana-discuss] Solaris privileges and seteuid()
Frank Lahm
franklahm at gmail.com
Wed Aug 15 13:38:35 UTC 2012
Hi all,
I'm having difficulties with Solaris privileges and seteuid().
I have a forking daemon process running as root. The process is afpd
from the Netatalk (OS AFP fileserver). The main afpd process accepts
network connections, authenticates users (through PAM) and, forks and
runs seteuid(USER).
Occasionally the process calls seteuid(0) to execute priviliged
operations and then goes seteuid(USER) back again.
This all works find with local Solaris users. Now I've added Active
Directory to the mix (smbadm join, nss_ad, pam_krb5). Works fine
execpt for one issue which is a result of the following idmap
restriction
man idmap
...
To prevent aliasing problems, all file systems, archive and
backup formats, and protocols must store SIDs or map all
UIDs and GIDs in the 2^31 to 2^32 - 2 range to the nobody
user and group.
...
This means any file created by an afpd process (Solaris CIFS/NFS don't
have this issue) running with the effective uid of an AD user is
created with and owner/group of nobody:
root at oi:~# ps -elf | grep aduser
0 S aduser at a 12440 12193 0 40 20 ? 4518 ? 15:03:12 ? 0:00
/usr/local/netatalk/sbin/afpd -d -F
root at oi:~# pcred 12440
12440: euid=2147500125 ruid=0 suid=0 egid=2147491842 rgid=0 sgid=0
root at oi:~# getent passwd aduser at ad.hh.netafp.com
aduser at ad.hh.netafp.com:x:2147500125:2147491842:AD User::/bin/sh
...create file via AFP (touch /Volumes/test/afpfile1 on a Mac)...
root at oi:~# ls -l /Volumes/test/afpfile1
-rw-rw-rw- 1 nobody nobody 0 Aug 15 15:04 /Volumes/test/afpfile1
The file "afpfile1" was created by the afpd process [12440] with a
call to open(...O_CREAT...).
I know from writing a simple test program (see below) that a possible
workaround to enforce owner/group for file is just calling chown on
them. This works with chown(1)
root at oi:~# chown aduser at ad.hh.netafp.com /Volumes/test/afpfile1
root at oi:~# ls -l /Volumes/test/afpfile1
-rw-rw-rw- 1 aduser at ad.hh.netafp.com nobody 0 Aug 15 15:04
/Volumes/test/afpfile1
...and it works in the test program, unfortunately it doesn't work for
afpd, all I get is EPERM (missing privilege file_chown_self). As I'm
wrapping the fchwon call between seteuid(0) and seteuid(USER) and I've
also verified that PAS (privilege awareness state) for the process is
0 by call getpflags(PRIV_AWARE) before the call to chmod:
Code:
LOG(log_note, logtype_afpd, "afp_createfile: PAS: %s",
getpflags(PRIV_AWARE) ? "PRIV_AWARE" : "not PRIV_AWARE");
Log:
Aug 15 15:06:42.083590 afpd[12440] {file.c:732} (N:AFPDaemon):
afp_createfile: PAS: not PRIV_AWARE
truss shows:
root at oi:~# truss -v all -t fchown,seteuid -p 12440
seteuid(0) = 0
fchown(10, -2147467171, -2147475454) Err#1 EPERM [file_chown_self]
seteuid(2147500125) = 0
The negative uid and gid for fchown are ok, truss interprets the
ephemeral ids (defined to be >0x8000000) as negative numbers.
root at oi:~# ppriv 12440
12440: /usr/local/netatalk/sbin/afpd -d -F /usr/local/netatalk/etc/afp.conf
flags = <none>
E: basic
I: basic
P: all
L: all
No matter what I try (increasing privileges for the process with eg
ppriv -s EIPL=all PID), it always fails with EPERM which strikes me as
it is demonstratably doing the fchown() with an effective uid of 0.
I highly appreciate any insight or pointers. There's a budget for paid
consulting, you can also contact me by PM if your interested and you
think you can help.
Thank you!
-f
---8<---
/*
* gcc -o seteuid seteuid.c
*/
#define _FILE_OFFSET_BITS 64
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <errno.h>
#include <pwd.h>
#define ERROR(msg) do { perror(msg); exit(1); } while (0)
int wait_for_key(void)
{
printf(" [Press RETURN to continue...]");
getchar();
}
int main (int argc, char **argv)
{
struct stat st;
const char *name, *file;
struct passwd *pwd;
int fd;
if (argc < 3) {
printf("usage: %s USERNAME FILENAME\n", argv[0]);
exit(1);
}
name = argv[1];
file = argv[2];
if (getuid() != 0) {
printf("Must be run with uid 0 (root)\n");
exit(1);
}
if ((pwd = getpwnam(name)) == NULL)
ERROR("getpwnam");
printf("name: %s, uid: %u\n", name, pwd->pw_uid);
printf("switching effective uid to %u", pwd->pw_uid);
wait_for_key();
if (seteuid(pwd->pw_uid) != 0)
ERROR("seteuid");
printf("creating file ...");
wait_for_key();
if ((fd = creat(file, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)) == -1)
ERROR("creat");
if (fstat(fd, &st) != 0)
ERROR("fstat");
printf("file owner uid: %u\n", st.st_uid);
printf("switch effective uid back to 0 (root) ...");
wait_for_key();
if (seteuid(0) != 0)
ERROR("seteuid");
printf("Try to change owner of testfile to %u", pwd->pw_uid);
wait_for_key();
if (fchown(fd, pwd->pw_uid) != 0)
ERROR("fchown");
close(fd);
return 0;
}
---8<---
More information about the OpenIndiana-discuss
mailing list