Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 150845 - app-admin/sysklogd: run without root privileges by default
Summary: app-admin/sysklogd: run without root privileges by default
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-10-10 20:18 UTC by Miguel Sousa Filipe
Modified: 2015-09-07 13:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam) (sysklogd-1.4.1-cean-owl-klogd-drop-root-fix-capabilities.diff,1.57 KB, patch)
2006-10-11 18:10 UTC, Miguel Sousa Filipe
Details | Diff
makefile patch to make klogd.c compile (must link with -lcap) (sysklogd-1.4.1-Makefile-fix-capabilities.diff,487 bytes, patch)
2006-10-11 18:11 UTC, Miguel Sousa Filipe
Details | Diff
file to be installed in /etc/conf.d/sysklogd for hardened/chroot users. (sysklogd-1.4.2-files-sysklogd.confd.hardened,146 bytes, text/plain)
2006-10-11 18:12 UTC, Miguel Sousa Filipe
Details
patch to ebuild. (sysklogd-1.4.2.ebuild.diff,1.45 KB, patch)
2006-10-11 18:13 UTC, Miguel Sousa Filipe
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Miguel Sousa Filipe 2006-10-10 20:18:40 UTC
Hi all,

this bug report wishes to provide safe defaults, apply the least privilege principle, and introduce privilege separation to sysklogd

In gentoo sysklog can be run without root privileges, and partially chrooted (klogd only). This happens because gentoo ebuild for sysklog includes the following patches:
/usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-klogd-drop-root.diff /usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-bind.diff /usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-drop-root.diff

For that to happen, we must run:
klogd with user: "klog", and chroot it in /var/empty (for instance..)
syslogd with user "syslog"

to do that, we must:
- create the respective users.
- Change all files to which syslogd writes by default (log files) writable by syslog. I did this by changing the ownership of these files to the "syslog" user

Also, in /etc/conf.d/sysklogd we must add the following arguments to each daemon:
klogd:  -u klogd -j /var/empty
syslogd: -u syslog

Therefore, I propose that the install process for sysklogd create two users:
klog
syslog

and set the ownership of sysklog default logfiles (`grep -v ^# /etc/syslog.conf` will show them) to the syslog user.

If not by default for the gentoo vanilla distribution, at least in the presence of the USE flag: "hardened".

Thank you very much,
best regards.
Comment 1 Miguel Sousa Filipe 2006-10-11 18:10:14 UTC
Created attachment 99393 [details, diff]
make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam)
Comment 2 Miguel Sousa Filipe 2006-10-11 18:11:02 UTC
Created attachment 99394 [details, diff]
makefile patch to make klogd.c compile (must link with -lcap)
Comment 3 Miguel Sousa Filipe 2006-10-11 18:12:07 UTC
Created attachment 99395 [details]
file to be installed in /etc/conf.d/sysklogd for hardened/chroot users.
Comment 4 Miguel Sousa Filipe 2006-10-11 18:13:03 UTC
Created attachment 99396 [details, diff]
patch to ebuild.
Comment 5 Miguel Sousa Filipe 2006-10-11 18:23:18 UTC
Hi,

I've worked the necessary patches to make sysklogd work has I proposed in the bug report.

the first 2 patches are needed for the drop_root + chroot() to work correctly 
on my hardened gentoo x86.


the patched ebuild was not tested because I don't know how to deal with the checksumming/digest verification.

but its my first stab at it.. and it reflects the proposed alteration request.

best regards,
Comment 6 Miguel Sousa Filipe 2006-10-12 02:34:16 UTC
Comment on attachment 99393 [details, diff]
make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam)

>--- sysklogd-1.4.1/klogd.c.orig	2006-10-12 01:29:49.000000000 +0100
>+++ sysklogd-1.4.1/klogd.c	2006-10-12 01:32:58.000000000 +0100
>@@ -246,6 +246,9 @@
>  * Thu Apr 29 15:24:07 2004: Solar Designer <solar@openwall.com>
>  *	Prevent potential buffer overflow in reading messages from the
>  *	kernel log rinbuffer.
>+ *
>+ * Thu Oct 12 00:12:02 2006: Miguel Filipe
>+ *  fix drop_root() to work correctly with capabilities
>  */
> 
> 
>@@ -263,6 +266,8 @@
> #include <stdlib.h>
> #include <pwd.h>
> #include <grp.h>
>+#include <sys/prctl.h>
>+#include <sys/capability.h>
> #include "klogd.h"
> #include "ksyms.h"
> #ifndef TESTING
>@@ -989,6 +994,9 @@
> static int drop_root(void)
> {
> 	struct passwd *pw;
>+	cap_t cap;
>+	cap_value_t cap_value[2] = { CAP_SYS_ADMIN, CAP_SYS_CHROOT };
>+	int result;
> 
> 	if (!(pw = getpwnam(server_user))) return -1;
> 
>@@ -999,10 +1007,36 @@
> 		if (chdir("/")) return -1;
> 	}
> 
>+	/* set keep capabilities */
>+	if( prctl( PR_SET_KEEPCAPS, 1, 0, 0, 0 ) ) 
>+		return -1;
>+
>+	/* test whether cap_set_proc works */
>+	cap = cap_get_proc();
>+	if( cap ) {
>+		result = cap_set_proc( cap );
>+		cap_free( cap );
>+		if( result )
>+			return -1;
>+	} else
>+		return -1;
>+
>+
> 	if (setgroups(0, NULL)) return -1;
> 	if (setgid(pw->pw_gid)) return -1;
> 	if (setuid(pw->pw_uid)) return -1;
> 
>+    /* set necessary capabilities */
>+	cap = cap_init();
>+	if( cap_set_flag( cap, CAP_PERMITTED, 2, cap_value, CAP_SET ) || 
>+		cap_set_flag( cap, CAP_EFFECTIVE, 2, cap_value, CAP_SET ) ) 
>+		return -1;
>+
>+	if( cap_set_proc( cap ) ) 
>+		return -1;
>+	if( cap_free( cap ) ) 
>+		return -1;
>+
> 	return 0;
> }
>
Comment 7 SpanKY gentoo-dev 2006-11-05 02:05:27 UTC
i really dont like these ... please send em upstream and see if they'll take them
Comment 8 SpanKY gentoo-dev 2006-11-05 02:28:38 UTC
mmm looks like this is an ebuild-specific thing ...

still, i dont like it