Summary: | app-admin/sysklogd: run without root privileges by default | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Miguel Sousa Filipe <miguel.filipe> |
Component: | New packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | CONFIRMED --- | ||
Severity: | enhancement | CC: | hardened, Scooter08cd |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam)
makefile patch to make klogd.c compile (must link with -lcap) file to be installed in /etc/conf.d/sysklogd for hardened/chroot users. patch to ebuild. |
Description
Miguel Sousa Filipe
2006-10-10 20:18:40 UTC
Created attachment 99393 [details, diff]
make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam)
Created attachment 99394 [details, diff]
makefile patch to make klogd.c compile (must link with -lcap)
Created attachment 99395 [details]
file to be installed in /etc/conf.d/sysklogd for hardened/chroot users.
Created attachment 99396 [details, diff]
patch to ebuild.
Hi, I've worked the necessary patches to make sysklogd work has I proposed in the bug report. the first 2 patches are needed for the drop_root + chroot() to work correctly on my hardened gentoo x86. the patched ebuild was not tested because I don't know how to deal with the checksumming/digest verification. but its my first stab at it.. and it reflects the proposed alteration request. best regards, Comment on attachment 99393 [details, diff] make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam) >--- sysklogd-1.4.1/klogd.c.orig 2006-10-12 01:29:49.000000000 +0100 >+++ sysklogd-1.4.1/klogd.c 2006-10-12 01:32:58.000000000 +0100 >@@ -246,6 +246,9 @@ > * Thu Apr 29 15:24:07 2004: Solar Designer <solar@openwall.com> > * Prevent potential buffer overflow in reading messages from the > * kernel log rinbuffer. >+ * >+ * Thu Oct 12 00:12:02 2006: Miguel Filipe >+ * fix drop_root() to work correctly with capabilities > */ > > >@@ -263,6 +266,8 @@ > #include <stdlib.h> > #include <pwd.h> > #include <grp.h> >+#include <sys/prctl.h> >+#include <sys/capability.h> > #include "klogd.h" > #include "ksyms.h" > #ifndef TESTING >@@ -989,6 +994,9 @@ > static int drop_root(void) > { > struct passwd *pw; >+ cap_t cap; >+ cap_value_t cap_value[2] = { CAP_SYS_ADMIN, CAP_SYS_CHROOT }; >+ int result; > > if (!(pw = getpwnam(server_user))) return -1; > >@@ -999,10 +1007,36 @@ > if (chdir("/")) return -1; > } > >+ /* set keep capabilities */ >+ if( prctl( PR_SET_KEEPCAPS, 1, 0, 0, 0 ) ) >+ return -1; >+ >+ /* test whether cap_set_proc works */ >+ cap = cap_get_proc(); >+ if( cap ) { >+ result = cap_set_proc( cap ); >+ cap_free( cap ); >+ if( result ) >+ return -1; >+ } else >+ return -1; >+ >+ > if (setgroups(0, NULL)) return -1; > if (setgid(pw->pw_gid)) return -1; > if (setuid(pw->pw_uid)) return -1; > >+ /* set necessary capabilities */ >+ cap = cap_init(); >+ if( cap_set_flag( cap, CAP_PERMITTED, 2, cap_value, CAP_SET ) || >+ cap_set_flag( cap, CAP_EFFECTIVE, 2, cap_value, CAP_SET ) ) >+ return -1; >+ >+ if( cap_set_proc( cap ) ) >+ return -1; >+ if( cap_free( cap ) ) >+ return -1; >+ > return 0; > } > i really dont like these ... please send em upstream and see if they'll take them mmm looks like this is an ebuild-specific thing ... still, i dont like it |