Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 296413 - net-analyzer/mtr-0.75 unabe to run as normal user
Summary: net-analyzer/mtr-0.75 unabe to run as normal user
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: High normal (vote)
Assignee: Netmon Herd
URL:
Whiteboard:
Keywords:
Depends on: CVE-2008-2357
Blocks:
  Show dependency tree
 
Reported: 2009-12-10 15:31 UTC by Etaoin Shrdlu
Modified: 2010-07-02 19:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Etaoin Shrdlu 2009-12-10 15:31:11 UTC
$ ls -l /usr/sbin/mtr
-rws--x--- 1 root root 84808 Dec 10 09:48 /usr/sbin/mtr

When I try to run it as non-root user, I get

$ mtr
bash: /usr/sbin/mtr: Permission denied

Reproducible: Always
Comment 1 Etaoin Shrdlu 2009-12-10 15:32:19 UTC
# emerge --info  
Portage 2.1.6.13 (default/linux/amd64/10.0, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.31-gentoo-r6 x86_64)
=================================================================                                      
System uname: Linux-2.6.31-gentoo-r6-x86_64-Pentium-R-_Dual-Core_CPU_E5200_@_2.50GHz-with-gentoo-1.12.13
Timestamp of tree: Thu, 10 Dec 2009 01:45:01 +0000
app-shells/bash:     4.0_p35
dev-java/java-config: 2.1.9-r1
dev-lang/python:     2.6.4
dev-util/cmake:      2.6.4-r3
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo                 http://ftp.snt.ipv6.utwente.nl/pub/os/linux/gentoo                 http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo"
LDFLAGS="-Wl,-O1"
LINGUAS="en_GB"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.au.gentoo.org/gentoo-portage"
USE="X accessibility acpi alsa amd64 avi branding bzip2 caps cdr chm cracklib crypt curl cxx dbus dri dvd dvdr ffmpeg firefox flac font-server ftp gif gtk gtk2 gzip handbook idn iproute2 ipv6 jabber java java6 jpeg kde kdehiddenvisibility kdexdeltas ldap lzo mad mmx mng mozbranding mp3 mp4 mpeg multilib musepack ncurses nls nptl nptlonly nsplugin ogg opengl pam pcap pcre pdf perl png posix ps python qt qt3support qt4 rdesktop rdp readline samba sdl smp sockets socks5 sql sqlite sse sse2 ssl startup-notification svg syslog tcl theora threads threadsafe tiff tk truetype truetype-fonts type1-fonts unicode usb userlocales video vim-syntax vnc vorbis wav webkit wireshark xcb xine xinerama xml xml2 xorg zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_GB" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vesa fbdev nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 2 Etaoin Shrdlu 2010-05-21 18:36:23 UTC
The problem is still there. If it has to be like this, at least explain why and close the bug as invalid or won't fix. Thanks
Comment 3 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-07-01 19:37:54 UTC
(In reply to comment #2)
> The problem is still there. If it has to be like this, at least explain why and
> close the bug as invalid or won't fix. Thanks
> 

It is indeed insteresting to note that mtr can be ran as normal user because it has the setuid bit anyway.
Comment 4 Etaoin Shrdlu 2010-07-01 19:47:57 UTC
It does, but since the permissions for normal users are "---", in Gentoo it doesn't work "out of the box" for normal users.
Comment 5 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-07-02 01:12:27 UTC
So, more looking into this. It doesn't make much sense to be setuid and only 710. If setuid is required, then it should be 711. Futhermore, if 710 is insisted on then setuid bit should NOT be set. So, after reading bug 223017, I get the sense that the solution is unanswered. Here is one possible option:

%% cvs di
Index: mtr-0.79.ebuild
===================================================================
RCS file: /var/cvsroot/gentoo-x86/net-analyzer/mtr/mtr-0.79.ebuild,v
retrieving revision 1.1
diff -u -r1.1 mtr-0.79.ebuild
--- mtr-0.79.ebuild     15 Jun 2010 16:09:52 -0000      1.1
+++ mtr-0.79.ebuild     2 Jul 2010 01:05:25 -0000
@@ -14,7 +14,7 @@
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="gtk ipv6"
+IUSE="gtk ipv6 suid"
 
 RDEPEND="sys-libs/ncurses
        gtk? ( >=x11-libs/gtk+-2.4.0 )"
@@ -37,7 +37,10 @@
        emake DESTDIR="${D}" install || die "make install failed"
 
        fowners root:0 /usr/sbin/mtr
-       fperms 4710 /usr/sbin/mtr
-
+       if use suid; then
+               fperms 4711 /usr/sbin/mtr
+       else
+               fperms 0710 /usr/sbin/mtr
+       fi
        dodoc AUTHORS ChangeLog FORMATS NEWS README SECURITY TODO || die
 }

That will give no functional change when compile as USE=-suid compared to current behavior. When compile with USE=suid, then this bug is solved and users can run mtr. I don't really consider setuid a security risk for this package though because the program drops privs as soon as it can (look at the source, mtr.c)

Anyone from netmon@g.o can provide comments here?
Comment 6 Etaoin Shrdlu 2010-07-02 17:12:22 UTC
With 710 it will *still* fail for normal users, since the owner is root:root.
I think either +x for others is required in any case, or ownership has to be changed.
Comment 7 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-07-02 17:21:37 UTC
(In reply to comment #6)
> With 710 it will *still* fail for normal users, since the owner is root:root.
> I think either +x for others is required in any case, or ownership has to be
> changed.
> 

You ignored the setuid bit. It is this setuid bit that is causing disagreement in bug 223017, if you read it. The point of my patch was either 4711 (fix *this* bug) or 0710 (drop setuid and maintain current behavior). So, in otherwords, with my patch, enable USE=suid and normal users can run mtr..
Comment 8 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-07-02 18:27:36 UTC
Committed comment #5

+  02 Jul 2010; Jeremy Olexa <darkside@gentoo.org> mtr-0.79.ebuild:
+  Fix suid/permission handling. Bug 296413, approved by pva
Comment 9 Etaoin Shrdlu 2010-07-02 18:51:32 UTC
Ok, so given that NOT using USE=suid would then render the program completely unusable for normal users, probably a word of warning in the ebuild when suid is not used would make sense (eg, "must be run as root or set USE=suid").
Comment 10 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-07-02 19:05:22 UTC
(In reply to comment #9)
> Ok, so given that NOT using USE=suid would then render the program completely
> unusable for normal users,

You mean like it is now?

> probably a word of warning in the ebuild when suid
> is not used would make sense (eg, "must be run as root or set USE=suid").

Why? It is located in /usr/sbin. This is not in your PATH by default. If you add sbin to your PATH, then you should know that is may need root privs to run. I'm leaning on the side of common sense here. In my opinion, there is no need to clutter up elog/etc for common sense items.
Comment 11 Etaoin Shrdlu 2010-07-02 19:40:48 UTC
Your call, but personally I know a lot of users (including myself) who keep /sbin and /usr/sbin in their PATH and routinely run commands that are there (ip, ifconfig, route, ping, traceroute etc.) and those all work without problems for normal users, even those that are suid.
That's why mtr looks like an exception to me. As I said, personally I know how to fix that, I was just suggesting that other users might find a brief message about the anomaly useful.