From MAILER-DAEMON Fri Mar 16 00:11:53 2012 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1S8OW9-0005rj-QE for mharc-monit-dev@gnu.org; Fri, 16 Mar 2012 00:11:53 -0400 Received: from eggs.gnu.org ([208.118.235.92]:32903) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S8OW7-0005qA-4E for monit-dev@nongnu.org; Fri, 16 Mar 2012 00:11:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1S8OVl-0003nF-Tl for monit-dev@nongnu.org; Fri, 16 Mar 2012 00:11:50 -0400 Received: from mailstore.webalaska.net ([209.193.58.98]:46469) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S8OVl-0003mc-8X for monit-dev@nongnu.org; Fri, 16 Mar 2012 00:11:29 -0400 Received: from [192.168.0.145] (helo=AKTC10) by mailstore.webalaska.net with esmtpa (Exim 4.69) (envelope-from ) id 1S8OVg-0005q6-5l for monit-dev@nongnu.org; Thu, 15 Mar 2012 20:11:25 -0800 From: "Leif Gustafson" To: Date: Thu, 15 Mar 2012 20:11:26 -0800 Message-ID: <001e01cd032a$db7cee80$9276cb80$@com> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac0DKttWuKjdl7WrTnqbTTEeIOETCg== Content-Language: en-us Content-Type: multipart/mixed; boundary="----=_NextPart_000_001F_01CD02E7.CD59AE80" X-SA-Exim-Version: 4.2.1 (built Wed, 25 Jun 2008 17:14:11 +0000) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 1) X-Received-From: 209.193.58.98 Subject: [monit-dev] "check program" change uid preliminary patch X-BeenThere: monit-dev@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The monit developer list List-Id: The monit developer list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2012 04:11:52 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_001F_01CD02E7.CD59AE80 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, Following up on the conversation in monit-general about adding an option to "check program" to drop root privileges, I took a look at the source code and tried to see how difficult it would be to add it. I'm not extremely familiar with the source tree nor do I usually use C for my day job so be gentle, but I was able to mock up a preliminary working patch (against 5.3.2). I think this is a pretty important security feature for "check program" because if the user isn't careful a malicious trojan could be executed as root. I had to make a couple of workarounds to get this to work. The "check" statements appear to be designed to only take one parameter (in this case, the path to the program), so I had to modify the grammar of "check program" a bit. But also, the order in which the statement is being parsed means the Service_t hasn't been created yet when uid/gid are parsed. So, I have to save those in static global variables and then set them in the instance of Service_t once it has been created. So, testing this with something like "check program test-script with path '/home/lgustafson/test-uid.sh' as uid 1000 as gid 1000 if status != 0 then alert" worked for me. The script was indeed run as my uid/gid. The caveat is the supplemental group list still contains root, so the script could still modify writeable files owned by gid 0. I'm not certain that there is a portable solution for that, but it could be resolved on some of the platforms you support. Like I said, this is just a preliminary patch/brainstorming exercise. ------=_NextPart_000_001F_01CD02E7.CD59AE80 Content-Type: application/octet-stream; name="check-program-set-uid.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="check-program-set-uid.patch" diff -x .hg -ur monit-5.3.2/libmonit/src/system/Command.c = monit-5.3.2-check-program/libmonit/src/system/Command.c=0A= --- monit-5.3.2/libmonit/src/system/Command.c 2011-12-20 = 11:40:30.000000000 -0900=0A= +++ monit-5.3.2-check-program/libmonit/src/system/Command.c 2012-03-15 = 17:38:07.278188871 -0800=0A= @@ -476,14 +476,14 @@=0A= _exit(errno);=0A= }=0A= }=0A= - if (C->uid)=0A= - P->uid =3D (setuid(C->uid) !=3D 0) ? = ERROR("Command: Cannot change process uid to '%d' -- %s\n", C->uid, = System_getLastError()), getuid() : C->uid;=0A= - else=0A= - P->uid =3D getuid();=0A= if (C->gid)=0A= P->gid =3D (setgid(C->gid) !=3D 0) ? = ERROR("Command: Cannot change process gid to '%d' -- %s\n", C->gid, = System_getLastError()), getgid() : C->gid;=0A= else=0A= P->gid =3D getgid();=0A= + if (C->uid)=0A= + P->uid =3D (setuid(C->uid) !=3D 0) ? = ERROR("Command: Cannot change process uid to '%d' -- %s\n", C->uid, = System_getLastError()), getuid() : C->uid;=0A= + else=0A= + P->uid =3D getuid();=0A= setsid(); // Loose controlling terminal=0A= setupChildPipes(P);=0A= // Close all descriptors except stdio=0A= diff -x .hg -ur monit-5.3.2/src/monit.h = monit-5.3.2-check-program/src/monit.h=0A= --- monit-5.3.2/src/monit.h 2011-12-20 11:40:30.000000000 -0900=0A= +++ monit-5.3.2-check-program/src/monit.h 2012-03-15 16:53:58.834905706 = -0800=0A= @@ -762,7 +762,8 @@=0A= Timestamp_T timestamplist; /**< Timestamp = check list */=0A= Uid_T uid; = /**< Uid check */=0A= Program_T program; /**< Status (of program = execution) check */=0A= - =0A= + uid_t programuid; /**< UID to run = program check as */=0A= + gid_t programgid; /**< GID to run = program check as */=0A= =0A= EventAction_T action_PID; /**< Action upon = pid change */=0A= EventAction_T action_PPID; /**< Action upon = ppid change */=0A= diff -x .hg -ur monit-5.3.2/src/p.y monit-5.3.2-check-program/src/p.y=0A= --- monit-5.3.2/src/p.y 2011-12-20 11:40:30.000000000 -0900=0A= +++ monit-5.3.2-check-program/src/p.y 2012-03-15 18:12:51.536512133 -0800=0A= @@ -180,6 +180,8 @@=0A= static char * htpasswd_file =3D NULL;=0A= static int digesttype =3D DIGEST_CLEARTEXT;=0A= static int hassystem =3D FALSE;=0A= + static uid_t proguid =3D 0;=0A= + static gid_t proggid =3D 0;=0A= =0A= #define BITMAP_MAX (sizeof(long long) * 8)=0A= =0A= @@ -221,6 +223,8 @@=0A= static void addgid(Gid_T);=0A= static void addeuid(uid_t);=0A= static void addegid(gid_t);=0A= + static void progadduid(uid_t);=0A= + static void progaddgid(gid_t);=0A= static void addeventaction(EventAction_T *, int, int);=0A= static void seteventaction(EventAction_T *, int, int);=0A= static void prepare_urlrequest(URL_T U);=0A= @@ -485,6 +489,8 @@=0A= | group=0A= | depend=0A= | exitvalue=0A= + | uid=0A= + | gid=0A= ; =0A= =0A= setalert : SET alertmail formatlist reminder {=0A= @@ -864,6 +870,29 @@=0A= check_exec($4);=0A= createservice(TYPE_PROGRAM, $2, $4, = check_program);=0A= }=0A= + | CHECKPROGRAM SERVICENAME PATHTOK PATH = puseroptionlist {=0A= + /* store a local copy of the uid/gid */=0A= + uid_t luid =3D proguid;=0A= + gid_t lgid =3D proggid;=0A= +=0A= + /* Immediately reset static global variables = back to 0=0A= + before an error */=0A= + proguid =3D 0;=0A= + proggid =3D 0;=0A= +=0A= + check_exec($4);=0A= + createservice(TYPE_PROGRAM, $2, $4, = check_program);=0A= +=0A= + /* store uid in current service if non-zero */=0A= + if (luid) {=0A= + progadduid( luid );=0A= + }=0A= +=0A= + /* store gid in current service if non-zero */=0A= + if (lgid) {=0A= + progaddgid( lgid );=0A= + }=0A= + }=0A= ;=0A= =0A= start : START argumentlist exectimeout {=0A= @@ -1752,6 +1781,17 @@=0A= | REMINDER NUMBER CYCLE { mailset.reminder =3D = $2; }=0A= ;=0A= =0A= +puseroptionlist : puseroption=0A= + | puseroptionlist puseroption=0A= + ;=0A= +=0A= +/* Setting static global variables because the service isn't available = yet */=0A= +puseroption : UID STRING { proguid =3D get_uid($2, 0); FREE($2); }=0A= + | GID STRING { proggid =3D get_gid($2, 0); FREE($2); }=0A= + | UID NUMBER { proguid =3D get_uid(NULL, $2); }=0A= + | GID NUMBER { proggid =3D get_gid(NULL, $2); }=0A= + ;=0A= +=0A= %%=0A= =0A= =0A= @@ -2970,6 +3010,25 @@=0A= yyerror("gid statement requires root privileges");=0A= }=0A= =0A= +/*=0A= + * Add uid for "check program" to current service=0A= + */=0A= +static void progadduid(uid_t uid) {=0A= + if (!getuid()) {=0A= + current->programuid =3D uid;=0A= + } else=0A= + yyerror("uid statement requires root privleges");=0A= +}=0A= +=0A= +/*=0A= + * Add gid for "check program" to current service=0A= + */=0A= +static void progaddgid(gid_t gid) {=0A= + if (!getuid()) {=0A= + current->programgid =3D gid;=0A= + } else=0A= + yyerror("gid statement requires root privileges");=0A= +}=0A= =0A= /*=0A= * Reset the logfile if changed=0A= diff -x .hg -ur monit-5.3.2/src/validate.c = monit-5.3.2-check-program/src/validate.c=0A= --- monit-5.3.2/src/validate.c 2011-12-20 11:40:30.000000000 -0900=0A= +++ monit-5.3.2-check-program/src/validate.c 2012-03-15 = 17:29:34.981685138 -0800=0A= @@ -457,6 +457,16 @@=0A= return FALSE;=0A= }=0A= s->program->C =3D Command_new(s->path, NULL);=0A= +=0A= + DEBUG("check program uid %i, gid %i", s->programuid, = s->programgid);=0A= +=0A= + if (s->programuid) {=0A= + Command_setUid(s->program->C, s->programuid);=0A= + }=0A= +=0A= + if (s->programgid) {=0A= + Command_setGid(s->program->C, s->programgid);=0A= + }=0A= }=0A= =0A= if (P) {=0A= ------=_NextPart_000_001F_01CD02E7.CD59AE80-- From MAILER-DAEMON Fri Mar 16 03:11:32 2012 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1S8RK0-0005Le-BY for mharc-monit-dev@gnu.org; Fri, 16 Mar 2012 03:11:32 -0400 Received: from eggs.gnu.org ([208.118.235.92]:51328) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S8RJt-0005IG-8R for monit-dev@nongnu.org; Fri, 16 Mar 2012 03:11:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1S8RJm-0001Me-AP for monit-dev@nongnu.org; Fri, 16 Mar 2012 03:11:24 -0400 Received: from tildeslash.com ([62.109.39.247]:58782 helo=www.tildeslash.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S8RJm-0001MP-3g for monit-dev@nongnu.org; Fri, 16 Mar 2012 03:11:18 -0400 Received: by www.tildeslash.com (Postfix, from userid 1003) id 872081D02B7; Fri, 16 Mar 2012 08:11:15 +0100 (CET) Received: from [10.0.1.2] (cm-84.215.22.23.getinternet.no [84.215.22.23]) by www.tildeslash.com (Postfix) with ESMTPSA id E88D61D008D for ; Fri, 16 Mar 2012 08:11:01 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1257) From: Jan-Henrik Haukeland In-Reply-To: <001e01cd032a$db7cee80$9276cb80$@com> Date: Fri, 16 Mar 2012 08:11:01 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <001e01cd032a$db7cee80$9276cb80$@com> To: The monit developer list X-Mailer: Apple Mail (2.1257) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 62.109.39.247 Subject: Re: [monit-dev] "check program" change uid preliminary patch X-BeenThere: monit-dev@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The monit developer list List-Id: The monit developer list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2012 07:11:31 -0000 Hi Looks like a fine start to me. Thanks for the work. It should be = possible to avoid the global stuff and use the local struct myprogram = programset object. I'll take a look and add the refactored patch. On Mar 16, 2012, at 5:11 AM, Leif Gustafson wrote: > Hello, > Following up on the conversation in monit-general about adding an = option > to "check program" to drop root privileges, I took a look at the = source code > and tried to see how difficult it would be to add it. I'm not = extremely > familiar with the source tree nor do I usually use C for my day job so = be > gentle, but I was able to mock up a preliminary working patch (against > 5.3.2). I think this is a pretty important security feature for = "check > program" because if the user isn't careful a malicious trojan could be > executed as root. >=20 > I had to make a couple of workarounds to get this to work. The = "check" > statements appear to be designed to only take one parameter (in this = case, > the path to the program), so I had to modify the grammar of "check = program" > a bit. But also, the order in which the statement is being parsed = means the > Service_t hasn't been created yet when uid/gid are parsed. So, I have = to > save those in static global variables and then set them in the = instance of > Service_t once it has been created. >=20 > So, testing this with something like "check program test-script with = path > '/home/lgustafson/test-uid.sh' as uid 1000 as gid 1000 if status !=3D = 0 then > alert" worked for me. The script was indeed run as my uid/gid. The = caveat > is the supplemental group list still contains root, so the script = could > still modify writeable files owned by gid 0. I'm not certain that = there is > a portable solution for that, but it could be resolved on some of the > platforms you support. >=20 > Like I said, this is just a preliminary patch/brainstorming exercise. > = _____________________________________________= __ > monit-dev mailing list > monit-dev@nongnu.org > https://lists.nongnu.org/mailman/listinfo/monit-dev From MAILER-DAEMON Fri Mar 16 07:23:53 2012 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1S8VGD-0003V4-Lz for mharc-monit-dev@gnu.org; Fri, 16 Mar 2012 07:23:53 -0400 Received: from eggs.gnu.org ([208.118.235.92]:42111) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S8VGA-0003UO-EY for monit-dev@nongnu.org; Fri, 16 Mar 2012 07:23:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1S8VFl-0007Jp-IN for monit-dev@nongnu.org; Fri, 16 Mar 2012 07:23:50 -0400 Received: from fly.osdn.org.ua ([62.149.13.37]:59976) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S8VFl-0007J2-9P for monit-dev@nongnu.org; Fri, 16 Mar 2012 07:23:25 -0400 Received: by fly.osdn.org.ua (Postfix, from userid 500) id 62C5B29DA2BB1; Fri, 16 Mar 2012 13:23:20 +0200 (EET) Date: Fri, 16 Mar 2012 13:23:20 +0200 From: Michael Shigorin To: monit-dev@nongnu.org Message-ID: <20120316112320.GZ20198@osdn.org.ua> Mail-Followup-To: monit-dev@nongnu.org References: <001e01cd032a$db7cee80$9276cb80$@com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001e01cd032a$db7cee80$9276cb80$@com> User-Agent: Mutt/1.4.2.1i X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 62.149.13.37 Subject: Re: [monit-dev] "check program" change uid preliminary patch X-BeenThere: monit-dev@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: shigorin@gmail.com, The monit developer list List-Id: The monit developer list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2012 11:23:52 -0000 On Thu, Mar 15, 2012 at 08:11:26PM -0800, Leif Gustafson wrote: > Like I said, this is just a preliminary patch/brainstorming exercise. I might ask Openwall folks what they think of monit in general, and they have a habit for privsep. -- ---- WBR, Michael Shigorin ------ Linux.Kiev http://www.linux.kiev.ua/ From MAILER-DAEMON Fri Mar 16 08:14:59 2012 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1S8W3f-0001wW-El for mharc-monit-dev@gnu.org; Fri, 16 Mar 2012 08:14:59 -0400 Received: from eggs.gnu.org ([208.118.235.92]:50218) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S8W3Y-0001vp-E4 for monit-dev@nongnu.org; Fri, 16 Mar 2012 08:14:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1S8W3T-0001SX-9L for monit-dev@nongnu.org; Fri, 16 Mar 2012 08:14:52 -0400 Received: from mail-gx0-f173.google.com ([209.85.161.173]:37428) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S8W3T-0001SL-3I for monit-dev@nongnu.org; Fri, 16 Mar 2012 08:14:47 -0400 Received: by ggnj2 with SMTP id j2so4702205ggn.4 for ; Fri, 16 Mar 2012 05:14:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=rQWctpwOE/SGfJuvPRN9Y53ydaTHYpEdKrIFWPRY4eY=; b=GL2e4IIO0xwrfZwtr8zCtvxD/utcSOBEAX/sB11CUCOA97gJp+ZaqNJcTEjdZvPvCy DJrWQXAwz4b+sjMPbziREJQwmRWoIQUseQxP9Uif3s6v6H3KmOnwoqbstZof6IBECLSe qQ4ftM7XGWoB2B8tH+xfqmvBz7h67UtkH9soTpAQSFfKQ2Djcp7CwrMNRqpA9RMFqAT8 /E1nC8+u8JH1CQP+YLZBmeME6fF2jqKLeu63i7dHZx3sXU/ifZwZ+bkWVlD9/0Fmy8It GB4GPQ1fcUINXxp1LKXGE7XUxpngqSNEybj7x5k58A7YUQzK5M8JZEe7BYxZOSVlnYpQ NJrg== MIME-Version: 1.0 Received: by 10.236.186.1 with SMTP id v1mr2548407yhm.4.1331900084647; Fri, 16 Mar 2012 05:14:44 -0700 (PDT) Sender: homyakov@gmail.com Received: by 10.146.226.18 with HTTP; Fri, 16 Mar 2012 05:14:44 -0700 (PDT) In-Reply-To: References: <001e01cd032a$db7cee80$9276cb80$@com> Date: Fri, 16 Mar 2012 16:14:44 +0400 X-Google-Sender-Auth: N1w-4mWaYB7anJCciQ0orsCYZZY Message-ID: From: Igor Homyakov To: The monit developer list Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 209.85.161.173 Subject: Re: [monit-dev] "check program" change uid preliminary patch X-BeenThere: monit-dev@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The monit developer list List-Id: The monit developer list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2012 12:14:58 -0000 Hi guys, Is it really necessary to re-implement su/sudo functionality ? I don't think so. From my point of view we've got over-engineering here. I believe that su developers are smart enough to deal with security/race issues. So "check program su username -c command" is more secure, more flexible and more simple way to do that. Kind regards Igor Homyakov On Fri, Mar 16, 2012 at 11:11, Jan-Henrik Haukeland w= rote: > Hi > > Looks like a fine start to me. Thanks for the work. It should be possible= to avoid the global stuff and use the local struct myprogram programset ob= ject. I'll take a look and add the refactored patch. > > > On Mar 16, 2012, at 5:11 AM, Leif Gustafson wrote: > >> Hello, >> =A0Following up on the conversation in monit-general about adding an opt= ion >> to "check program" to drop root privileges, I took a look at the source = code >> and tried to see how difficult it would be to add it. =A0I'm not extreme= ly >> familiar with the source tree nor do I usually use C for my day job so b= e >> gentle, but I was able to mock up a preliminary working patch (against >> 5.3.2). =A0I think this is a pretty important security feature for "chec= k >> program" because if the user isn't careful a malicious trojan could be >> executed as root. >> >> =A0I had to make a couple of workarounds to get this to work. =A0The "ch= eck" >> statements appear to be designed to only take one parameter (in this cas= e, >> the path to the program), so I had to modify the grammar of "check progr= am" >> a bit. =A0But also, the order in which the statement is being parsed mea= ns the >> Service_t hasn't been created yet when uid/gid are parsed. =A0So, I have= to >> save those in static global variables and then set them in the instance = of >> Service_t once it has been created. >> >> =A0So, testing this with something like "check program test-script with = path >> '/home/lgustafson/test-uid.sh' as uid 1000 as gid 1000 if status !=3D 0 = then >> alert" worked for me. =A0The script was indeed run as my uid/gid. =A0The= caveat >> is the supplemental group list still contains root, so the script could >> still modify writeable files owned by gid 0. =A0I'm not certain that the= re is >> a portable solution for that, but it could be resolved on some of the >> platforms you support. >> >> =A0Like I said, this is just a preliminary patch/brainstorming exercise. >> ___________________________________________= ____ >> monit-dev mailing list >> monit-dev@nongnu.org >> https://lists.nongnu.org/mailman/listinfo/monit-dev > > > _______________________________________________ > monit-dev mailing list > monit-dev@nongnu.org > https://lists.nongnu.org/mailman/listinfo/monit-dev From MAILER-DAEMON Fri Mar 16 14:25:12 2012 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1S8bpw-0007mQ-L3 for mharc-monit-dev@gnu.org; Fri, 16 Mar 2012 14:25:12 -0400 Received: from eggs.gnu.org ([208.118.235.92]:49819) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S8bpp-0007fW-MS for monit-dev@nongnu.org; Fri, 16 Mar 2012 14:25:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1S8bpk-0007ka-D9 for monit-dev@nongnu.org; Fri, 16 Mar 2012 14:25:05 -0400 Received: from mailstore.webalaska.net ([209.193.58.98]:40869) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S8bpj-0007k4-U4 for monit-dev@nongnu.org; Fri, 16 Mar 2012 14:25:00 -0400 Received: from [192.168.0.145] (helo=[192.168.100.35]) by mailstore.webalaska.net with esmtpa (Exim 4.69) (envelope-from ) id 1S8bpd-0004sQ-P5 for monit-dev@nongnu.org; Fri, 16 Mar 2012 10:24:56 -0800 Message-ID: <4F638573.7070403@aktechnicalconsultants.com> Date: Fri, 16 Mar 2012 10:24:51 -0800 From: Leif Gustafson User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120312 Thunderbird/11.0 MIME-Version: 1.0 To: The monit developer list References: <001e01cd032a$db7cee80$9276cb80$@com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-SA-Exim-Version: 4.2.1 (built Wed, 25 Jun 2008 17:14:11 +0000) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 1) X-Received-From: 209.193.58.98 Subject: Re: [monit-dev] "check program" change uid preliminary patch X-BeenThere: monit-dev@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The monit developer list List-Id: The monit developer list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2012 18:25:11 -0000 That's a very good point. The problem now is that the argument to "check program" is only allowed to be a single executable file. That's already an annoying limitation, and if it were fixed we'd be able to just use su directly as you suggested. On 03/16/2012 4:14 AM, Igor Homyakov wrote: > Hi guys, > > Is it really necessary to re-implement su/sudo functionality ? I > don't think so. From my point of view we've got over-engineering > here. I believe that su developers are smart enough to deal with > security/race issues. > > So "check program su username -c command" is more secure, more > flexible and more simple way to do that. > > Kind regards > Igor Homyakov > > On Fri, Mar 16, 2012 at 11:11, Jan-Henrik Haukeland wrote: >> Hi >> >> Looks like a fine start to me. Thanks for the work. It should be possible to avoid the global stuff and use the local struct myprogram programset object. I'll take a look and add the refactored patch. >> >> >> On Mar 16, 2012, at 5:11 AM, Leif Gustafson wrote: >> >>> Hello, >>> Following up on the conversation in monit-general about adding an option >>> to "check program" to drop root privileges, I took a look at the source code >>> and tried to see how difficult it would be to add it. I'm not extremely >>> familiar with the source tree nor do I usually use C for my day job so be >>> gentle, but I was able to mock up a preliminary working patch (against >>> 5.3.2). I think this is a pretty important security feature for "check >>> program" because if the user isn't careful a malicious trojan could be >>> executed as root. >>> >>> I had to make a couple of workarounds to get this to work. The "check" >>> statements appear to be designed to only take one parameter (in this case, >>> the path to the program), so I had to modify the grammar of "check program" >>> a bit. But also, the order in which the statement is being parsed means the >>> Service_t hasn't been created yet when uid/gid are parsed. So, I have to >>> save those in static global variables and then set them in the instance of >>> Service_t once it has been created. >>> >>> So, testing this with something like "check program test-script with path >>> '/home/lgustafson/test-uid.sh' as uid 1000 as gid 1000 if status != 0 then >>> alert" worked for me. The script was indeed run as my uid/gid. The caveat >>> is the supplemental group list still contains root, so the script could >>> still modify writeable files owned by gid 0. I'm not certain that there is >>> a portable solution for that, but it could be resolved on some of the >>> platforms you support. >>> >>> Like I said, this is just a preliminary patch/brainstorming exercise. >>> _______________________________________________ >>> monit-dev mailing list >>> monit-dev@nongnu.org >>> https://lists.nongnu.org/mailman/listinfo/monit-dev >> >> _______________________________________________ >> monit-dev mailing list >> monit-dev@nongnu.org >> https://lists.nongnu.org/mailman/listinfo/monit-dev > _______________________________________________ > monit-dev mailing list > monit-dev@nongnu.org > https://lists.nongnu.org/mailman/listinfo/monit-dev > From MAILER-DAEMON Wed Mar 21 10:43:19 2012 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1SAMkx-0001JN-1o for mharc-monit-dev@gnu.org; Wed, 21 Mar 2012 10:43:19 -0400 Received: from eggs.gnu.org ([208.118.235.92]:34417) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SAMkr-0001CH-Uq for monit-dev@nongnu.org; Wed, 21 Mar 2012 10:43:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SAMkp-0004sa-Vp for monit-dev@nongnu.org; Wed, 21 Mar 2012 10:43:13 -0400 Received: from mail.free-electrons.com ([88.190.12.23]:37621) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SAMkp-0004sG-Ps for monit-dev@nongnu.org; Wed, 21 Mar 2012 10:43:11 -0400 Received: by mail.free-electrons.com (Postfix, from userid 106) id 48E6B17B; Wed, 21 Mar 2012 15:43:07 +0100 (CET) Received: from skate (col31-4-88-188-83-94.fbx.proxad.net [88.188.83.94]) by mail.free-electrons.com (Postfix) with ESMTPSA id 81EB016F for ; Wed, 21 Mar 2012 15:42:57 +0100 (CET) Date: Wed, 21 Mar 2012 15:42:57 +0100 From: Thomas Petazzoni To: monit-dev@nongnu.org Message-ID: <20120321154257.011a417d@skate> Organization: Free Electrons X-Mailer: Claws Mail 3.7.8 (GTK+ 2.24.4; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 88.190.12.23 Subject: [monit-dev] [PATCH] configure.ac: support cross-compilation X-BeenThere: monit-dev@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The monit developer list List-Id: The monit developer list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2012 14:43:18 -0000 configure.ac: support cross-compilation The libmonit/configure.ac file does two checks using the AC_RUN_IFELSE autoconf macro. Unfortunately, this macro requires *executing* a program, which is not possible when doing cross-compilation (since the machine on which the program will run is not the same as the build machine). Therefore, we enclose those AC_RUN_IFELSE tests into a AC_CACHE_CHECK so that people doing cross-compilation can pass libmonit_cv_setjmp_available=yes and libmonit_cv_vsnprintf_c99_conformant=yes if they know their target machine has support for those features. If no value is passed and we're cross-compiling, the configure script aborts with an error. If no value is passed and we're not cross-compiling, then the normal AC_RUN_IFELSE test is conducted, which aborts the configure script if the feature is not available. Signed-off-by: Thomas Petazzoni Index: monit-5.3.2/libmonit/configure.ac =================================================================== --- monit-5.3.2.orig/libmonit/configure.ac +++ monit-5.3.2/libmonit/configure.ac @@ -100,16 +100,33 @@ # ------------------------------------------------------------------------ # Require a working setjmp -AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include ]], - [[jmp_buf env; setjmp(env);]])], - [], [AC_MSG_FAILURE([setjmp is required])]) +AC_CACHE_CHECK([setjmp is available],[libmonit_cv_setjmp_available], + [ + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[#include ]], + [[jmp_buf env; setjmp(env);]])], + [ + AC_MSG_RESULT(yes) + ],[ + AC_MSG_FAILURE([setjmp is required]) + ],[ + AC_MSG_ERROR(cross-compiling: please set 'libmonit_cv_setjmp_available') + ])]) # Require that we have vsnprintf that conforms to c99. I.e. does bounds check -AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include +AC_CACHE_CHECK([vsnprintf is c99 conformant],[libmonit_cv_vsnprintf_c99_conformant], + [ + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[#include #include ]], -[[char t[1]; va_list ap; int n = vsnprintf(t, 1, "hello", ap); if(n == 5) return 0;return 1;]])], -[], [AC_MSG_FAILURE([vsnprintf does not conform to c99])]) - + [[char t[1]; va_list ap; int n = vsnprintf(t, 1, "hello", ap); if(n == 5) return 0;return 1;]])], + [ + AC_MSG_RESULT(yes) + ],[ + AC_MSG_FAILURE([vsnprintf does not conform to c99]) + ],[ + AC_MSG_ERROR(cross-compiling: please set 'libmonit_cv_vsnprintf_c99_conformant') + ])]) # ------------------------------------------------------------------------ # Architecture/OS -- Thomas Petazzoni, Free Electrons Kernel, drivers, real-time and embedded Linux development, consulting, training and support. http://free-electrons.com From MAILER-DAEMON Thu Mar 29 07:22:00 2012 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1SDDQW-0007kf-EU for mharc-monit-dev@gnu.org; Thu, 29 Mar 2012 07:22:00 -0400 Received: from eggs.gnu.org ([208.118.235.92]:35798) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SDDQP-0007jN-5N for monit-dev@nongnu.org; Thu, 29 Mar 2012 07:21:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SDDQM-0004tQ-2U for monit-dev@nongnu.org; Thu, 29 Mar 2012 07:21:52 -0400 Received: from tildeslash.com ([62.109.39.247]:39698 helo=www.tildeslash.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SDDQL-0004t5-Ok for monit-dev@nongnu.org; Thu, 29 Mar 2012 07:21:49 -0400 Received: by www.tildeslash.com (Postfix, from userid 1003) id 7D1D11D030D; Thu, 29 Mar 2012 13:21:47 +0200 (CEST) Received: from [192.168.1.2] (ip-89-176-61-52.net.upcbroadband.cz [89.176.61.52]) by www.tildeslash.com (Postfix) with ESMTPSA id 78AD31D0273 for ; Thu, 29 Mar 2012 13:21:38 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1257) From: Martin Pala In-Reply-To: <20120321154257.011a417d@skate> Date: Thu, 29 Mar 2012 13:21:37 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <7301D850-CACA-4916-AEFB-1BF82713AA4B@tildeslash.com> References: <20120321154257.011a417d@skate> To: The monit developer list X-Mailer: Apple Mail (2.1257) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 62.109.39.247 Subject: Re: [monit-dev] [PATCH] configure.ac: support cross-compilation X-BeenThere: monit-dev@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The monit developer list List-Id: The monit developer list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2012 11:21:59 -0000 hi Thomas, thanks for the patch, it was added to the next Monit release. Best regards, Martin On Mar 21, 2012, at 3:42 PM, Thomas Petazzoni wrote: > configure.ac: support cross-compilation >=20 > The libmonit/configure.ac file does two checks using the AC_RUN_IFELSE > autoconf macro. Unfortunately, this macro requires *executing* a > program, which is not possible when doing cross-compilation (since the > machine on which the program will run is not the same as the build > machine). >=20 > Therefore, we enclose those AC_RUN_IFELSE tests into a AC_CACHE_CHECK > so that people doing cross-compilation can pass > libmonit_cv_setjmp_available=3Dyes and > libmonit_cv_vsnprintf_c99_conformant=3Dyes if they know their target > machine has support for those features. >=20 > If no value is passed and we're cross-compiling, the configure script > aborts with an error. If no value is passed and we're not > cross-compiling, then the normal AC_RUN_IFELSE test is conducted, > which aborts the configure script if the feature is not available. >=20 > Signed-off-by: Thomas Petazzoni >=20 > Index: monit-5.3.2/libmonit/configure.ac > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- monit-5.3.2.orig/libmonit/configure.ac > +++ monit-5.3.2/libmonit/configure.ac > @@ -100,16 +100,33 @@ > # = ------------------------------------------------------------------------ >=20 > # Require a working setjmp > -AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include ]], > - [[jmp_buf env; setjmp(env);]])],=20 > - [], [AC_MSG_FAILURE([setjmp is required])]) > +AC_CACHE_CHECK([setjmp is available],[libmonit_cv_setjmp_available], > + [ > + AC_RUN_IFELSE( > + [AC_LANG_PROGRAM([[#include ]], > + [[jmp_buf env; setjmp(env);]])], > + [ > + AC_MSG_RESULT(yes) > + ],[ > + AC_MSG_FAILURE([setjmp is required]) > + ],[ > + AC_MSG_ERROR(cross-compiling: please set = 'libmonit_cv_setjmp_available') > + ])]) >=20 > # Require that we have vsnprintf that conforms to c99. I.e. does = bounds check > -AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include =20 > +AC_CACHE_CHECK([vsnprintf is c99 = conformant],[libmonit_cv_vsnprintf_c99_conformant], > + [ > + AC_RUN_IFELSE( > + [AC_LANG_PROGRAM([[#include > #include ]], > -[[char t[1]; va_list ap; int n =3D vsnprintf(t, 1, "hello", ap); if(n = =3D=3D 5) return 0;return 1;]])],=20 > -[], [AC_MSG_FAILURE([vsnprintf does not conform to c99])]) > - > + [[char t[1]; va_list ap; int n =3D vsnprintf(t, 1, "hello", ap); = if(n =3D=3D 5) return 0;return 1;]])], > + [ > + AC_MSG_RESULT(yes) > + ],[ > + AC_MSG_FAILURE([vsnprintf does not conform to c99]) > + ],[ > + AC_MSG_ERROR(cross-compiling: please set = 'libmonit_cv_vsnprintf_c99_conformant') > + ])]) >=20 > # = ------------------------------------------------------------------------ > # Architecture/OS >=20 >=20 > --=20 > Thomas Petazzoni, Free Electrons > Kernel, drivers, real-time and embedded Linux > development, consulting, training and support. > http://free-electrons.com >=20 > _______________________________________________ > monit-dev mailing list > monit-dev@nongnu.org > https://lists.nongnu.org/mailman/listinfo/monit-dev