[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hobbit SUID's

To: hobbit (at) hswn.dk
Subject: Hobbit SUID's
From: Charles Jones <jonescr (at) cisco.com>
Date: Sun, 04 Jun 2006 09:26:04 -0700
Authentication-results: sj-dkim-1.cisco.com; header.From=jonescr@cisco.com; dkim=pass ( sig from cisco.com verified; );
Dkim-signature: a=rsa-sha1; q=dns; l=4953; t=1149438362; x=1150302362; c=relaxed/simple; s=sjdkim1001; h=From:Subject; d=cisco.com; i=jonescr@cisco.com; z=From:Charles=20Jones=20<jonescr@cisco.com> |Subject:Hobbit=20SUID's; X=v=3Dcisco.com=3B=20h=3D81nXfugCF6sJl2WPJfBPpQSN1X8=3D; b=IcOrYxUZSVZzcRezs8lMpI9GsVBMRDfVHB2vVMnSRT2X3OW7LksLC2/zhUZAXyn/YBlVO/ik 88SCWImoRr6ddRVHv69ZrGPA8hzQKLo+xrJFbofAvZUrNzWLH3xPWg0t;
User-agent: Thunderbird 1.5.0.2 (Windows/20060308)

I'm installing Hobbit for a client where root access is not available, and having SUID files is on an as-needed basis (as-needed as in "this app simply won't function without it), and even then only after having a darn good reason and approval from Infosec after they audit the code.

As such, I am installing Hobbit as a normal user and get the following errors when I do "make install"

chown 0 /users/monitor/local/hobbit/client/bin/logfetch /users/monitor/local/hobbit/client/bin/clientupdate || echo "" chown: changing ownership of `/users/monitor/local/hobbit/client/bin/logfetch': Operation not permitted chown: changing ownership of `/users/monitor/local/hobbit/client/bin/clientupdate': Operation not permitted chgrp 0 /users/monitor/local/hobbit/client/bin/logfetch /users/monitor/local/hobbit/client/bin/clientupdate || echo "" chgrp: changing group of `/users/monitor/local/hobbit/client/bin/logfetch': Operation not permitted chgrp: changing group of `/users/monitor/local/hobbit/client/bin/clientupdate': Operation not permitted

(There were also errors for "hobbitping", which I understand why that needs to be SUID.)

Can you tell me if these (logfetch and clientupdate) absolutely require being SUID root?

I believe logfetch does not, provided that the user that hobbit is running as has permissions to read the specified files. It's a lot easier to get the security ninjas to do "chmod o+r /var/log/messages" than it is to convince them to SUID "some code you downloaded off the internet".

What about "clientupdate". What does it do, and what does it use root access for?

*pause for RTFM* Oka I just read the logfetch and clientupdate man pages, which seems to have answered those questions. I will post it here for anyone else who was wondering the same thing: ---snip--- SUID ROOT INSTALLATION logfetch may be installed with suid-root privileges. This allows Hobbit to monitor logfiles regardless of any access restrictions there may be in place for these files.

If logfetch is not installed suid-root, it will of course only be able to monitor logs that it has read-access to. But logfetch will function without suid-root privileges.

For security reasons, logfetch drops all root privileges except when opening logfiles. In particular, logfetch will not perform directory- utilitation scannings via the "du" command with root privileges, since an external command is used. It is therefore believed to be safe to install logfetch as suid-root.

Note that if you choose to install logfetch with suid-root privileges, then the clientupdate utility will also need suid-root privileges, or these will be lost after an automated update of the client.

When installing the new client software, any suid-root permis- sions set for the logfetch(1) utility were lost. The final step is to re-establish the suid-root privileges for the logfetch utility, by running the new clientupdate utility with the "--suid-setup" option. This sets the logfetch utility to suid- root, if possible.

SUID-ROOT OPERATION clientupdate will attempt to perform some operations with root privi- leges, as described above. However, if it was not installed as suid- root initially, these operations will fail. This does not prevent clientupdate or the Hobbit client from working - it just means that permissions needed by the Hobbit client will have to be managed manu- ally, eg. you may need to modify permissions for logfiles such that the logfetch(1) utility can read them to check the logs. The Hobbit client is fully capable of running without any special privileges. ---snip---

So, correct me if I am wrong about any of these statements: 1. The ONLY hobbit binary that MUST be SUID root is "hobbitping" (because only root can send ICMP ECHO packets). 2. "logfetch" is SUID root for ease of monitoring root-owned logfiles. It does not need to be SUID if the monitored files are readable by the hobbit user. 3. "clientupdate" is SUID in order to restore the SUID bit of "logfetch", when a client update is rolled out via the automated mechanism.

I should be able to convince the security folks to SUID hobbitping. Is there anything special about hobbitping itself, or can "fping" be used as a replacement?

The only other comment I have is, since the man page specifically says that logfetch and clientupdate do not need to be SUID, either "make install" should not fail because of the chown errors, or there should be a --no-suid option to tell the installer not to attempt to make those SUID.

Follow-Ups:
- Re: [hobbit] Hobbit SUID's
  - From: Henrik Stoerner

Prev by Date: PORTS monitoring question
Next by Date: Re: [hobbit] Hobbit SUID's
Previous by thread: Re: [hobbit] PORTS monitoring question
Next by thread: Re: [hobbit] Hobbit SUID's
Index(es):
- Date
- Thread