Re: [SLUG] Problems with setuid bits on file permissions

From: Ian C. Blenke (icblenke@nks.net)
Date: Mon Jul 23 2001 - 14:49:19 EDT


On Mon, Jul 23, 2001 at 07:57:17AM -0700, Electric Monk wrote:
> As I understand it, when the set-user-id part of the
> permissions mask (4000) is set, the executable file
> (in this case, the samba daemon) runs as the uid that
> owns the file.

Yes. The executable runs as "effective uid" of whatever the uid of the
owner of that executable is.

There are basic differences between "effective uid" and "real uid",
however. When you setuid bit an executable, the process runs as
seteuid() changing the euid, but the uid stays the same.

Try this:

        bob$ su - root
        # cp /usr/bin/id /tmp
        # chown nobody /tmp/id
        # chmod 4555 /tmp/id
        # exit
        bob$ /tmp/id
        uid=500(bob) gid=500(bob) euid=65534(nobody) groups=500(bob)

See the difference? The command can do things as "nobody" due to its
euid, but the command is still running with the uid of the user that
started it.

Now, if you setuid an executable that is owned by root, the same thing
happens. The only difference is that the process now has the ability
to do anything as euid root, which includes setuid() for real. If the
process does a setuid() call to another uid, the uid really will change.

> What I'm trying to do is get samba to run as the
> system user "samba" that I set up on my machine, in
> order to prevent it from running as root while still
> having access to all the necessary files.

This isn't going to work. Samba needs to bind to UDP ports 137,138 (nmb)
and TCP port 139 (smb). As these ports are within the privileged port
range (1-1023), you're stuck (unless you start them from inetd).

Samba also needs to be run as root (not setuid() root, mind you! just
straight root!) to allow it to setuid() to user uid/gid's as clients
connect. Each client gets a spawned samba process handling that users'
connection.

This would also inherently break any non-public shares, as samba will be
unable to setuid to the user in question.

What you are looking for is Samba run in a "sandbox mode". You would
need to intercept all setuid() calls (which will fail when not run as
root), and deal with things like nmb not working whatsoever. Some
broken setuid() platforms with Samba ports do just this.

Unfortunately, I don't think Samba *can* run as anything aside from
root - at least not as built out of the box.

> I've set the file modes for smbd and nmbd as "4555" and
> set the owner of both files as "samba". However, the
> programs only seem to start when I execute them as the
> root user (I tried running them as a regular user, and
> although it didn't produce any error messages, it
> didn't show up in the process list either), and on
> running "ps aucx", I find out that they are running as
> root, despite the fact that I set the setuid part of
> the file mask.

They were started by root, which has the ability to setuid() or
seteuid() to anything it wishes. With ps, you are seeing the uid - not
the euid - of the running processes.

> What am I doing wrong?

Samba running as anything but root is going to be difficult. If you're
really paranoid, you could always try something like pitbull to break
the daemon into its own virtual domain. Or even better yet, run the
server in a User Mode Linux virtual machine - and treat it like a
honeypot.

IMHO, SMB as a protocol is inherently broken and open to LM hash replay
attacks. If you're really concerned with security, DON'T USE SMB.

Don't use NFS either, for that matter ;)

Maybe AFS. Maybe.

Ain't filesharing grand?

 - Ian C. Blenke <ian@blenke.com> <icblenke@nks.net>



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:38:02 EDT