Bug 150845

Summary:	app-admin/sysklogd: run without root privileges by default
Product:	Gentoo Linux	Reporter:	Miguel Sousa Filipe <miguel.filipe>
Component:	New packages	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	CONFIRMED ---
Severity:	enhancement	CC:	hardened, Scooter08cd
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam) makefile patch to make klogd.c compile (must link with -lcap) file to be installed in /etc/conf.d/sysklogd for hardened/chroot users. patch to ebuild.

Description Miguel Sousa Filipe 2006-10-10 20:18:40 UTC

Hi all,

this bug report wishes to provide safe defaults, apply the least privilege principle, and introduce privilege separation to sysklogd

In gentoo sysklog can be run without root privileges, and partially chrooted (klogd only). This happens because gentoo ebuild for sysklog includes the following patches:
/usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-klogd-drop-root.diff /usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-bind.diff /usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-drop-root.diff

For that to happen, we must run:
klogd with user: "klog", and chroot it in /var/empty (for instance..)
syslogd with user "syslog"

to do that, we must:
- create the respective users.
- Change all files to which syslogd writes by default (log files) writable by syslog. I did this by changing the ownership of these files to the "syslog" user

Also, in /etc/conf.d/sysklogd we must add the following arguments to each daemon:
klogd:  -u klogd -j /var/empty
syslogd: -u syslog

Therefore, I propose that the install process for sysklogd create two users:
klog
syslog

and set the ownership of sysklog default logfiles (`grep -v ^# /etc/syslog.conf` will show them) to the syslog user.

If not by default for the gentoo vanilla distribution, at least in the presence of the USE flag: "hardened".

Thank you very much,
best regards.

Comment 1 Miguel Sousa Filipe 2006-10-11 18:10:14 UTC

Created attachment 99393 [details, diff]
make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam)

Comment 2 Miguel Sousa Filipe 2006-10-11 18:11:02 UTC

Created attachment 99394 [details, diff]
makefile patch to make klogd.c compile (must link with -lcap)

Comment 3 Miguel Sousa Filipe 2006-10-11 18:12:07 UTC

Created attachment 99395 [details]
file to be installed in /etc/conf.d/sysklogd for hardened/chroot users.

Comment 4 Miguel Sousa Filipe 2006-10-11 18:13:03 UTC

Created attachment 99396 [details, diff]
patch to ebuild.

Comment 5 Miguel Sousa Filipe 2006-10-11 18:23:18 UTC

Hi,

I've worked the necessary patches to make sysklogd work has I proposed in the bug report.

the first 2 patches are needed for the drop_root + chroot() to work correctly 
on my hardened gentoo x86.


the patched ebuild was not tested because I don't know how to deal with the checksumming/digest verification.

but its my first stab at it.. and it reflects the proposed alteration request.

best regards,

Comment 6 Miguel Sousa Filipe 2006-10-12 02:34:16 UTC

Comment on attachment 99393 [details, diff]
make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam)

>--- sysklogd-1.4.1/klogd.c.orig	2006-10-12 01:29:49.000000000 +0100
>+++ sysklogd-1.4.1/klogd.c	2006-10-12 01:32:58.000000000 +0100
>@@ -246,6 +246,9 @@
>  * Thu Apr 29 15:24:07 2004: Solar Designer <solar@openwall.com>
>  *	Prevent potential buffer overflow in reading messages from the
>  *	kernel log rinbuffer.
>+ *
>+ * Thu Oct 12 00:12:02 2006: Miguel Filipe
>+ *  fix drop_root() to work correctly with capabilities
>  */
> 
> 
>@@ -263,6 +266,8 @@
> #include <stdlib.h>
> #include <pwd.h>
> #include <grp.h>
>+#include <sys/prctl.h>
>+#include <sys/capability.h>
> #include "klogd.h"
> #include "ksyms.h"
> #ifndef TESTING
>@@ -989,6 +994,9 @@
> static int drop_root(void)
> {
> 	struct passwd *pw;
>+	cap_t cap;
>+	cap_value_t cap_value[2] = { CAP_SYS_ADMIN, CAP_SYS_CHROOT };
>+	int result;
> 
> 	if (!(pw = getpwnam(server_user))) return -1;
> 
>@@ -999,10 +1007,36 @@
> 		if (chdir("/")) return -1;
> 	}
> 
>+	/* set keep capabilities */
>+	if( prctl( PR_SET_KEEPCAPS, 1, 0, 0, 0 ) ) 
>+		return -1;
>+
>+	/* test whether cap_set_proc works */
>+	cap = cap_get_proc();
>+	if( cap ) {
>+		result = cap_set_proc( cap );
>+		cap_free( cap );
>+		if( result )
>+			return -1;
>+	} else
>+		return -1;
>+
>+
> 	if (setgroups(0, NULL)) return -1;
> 	if (setgid(pw->pw_gid)) return -1;
> 	if (setuid(pw->pw_uid)) return -1;
> 
>+    /* set necessary capabilities */
>+	cap = cap_init();
>+	if( cap_set_flag( cap, CAP_PERMITTED, 2, cap_value, CAP_SET ) || 
>+		cap_set_flag( cap, CAP_EFFECTIVE, 2, cap_value, CAP_SET ) ) 
>+		return -1;
>+
>+	if( cap_set_proc( cap ) ) 
>+		return -1;
>+	if( cap_free( cap ) ) 
>+		return -1;
>+
> 	return 0;
> }
>

Comment 7 SpanKY gentoo-dev

2006-11-05 02:05:27 UTC

i really dont like these ... please send em upstream and see if they'll take them

Comment 8 SpanKY gentoo-dev

2006-11-05 02:28:38 UTC

mmm looks like this is an ebuild-specific thing ...

still, i dont like it