Hobbit SUID's

Charles Jones jonescr at cisco.com
Sun Jun 4 18:26:04 CEST 2006 

I'm installing Hobbit for a client where root access is not available, 
and having SUID files is on an as-needed basis (as-needed as in "this 
app simply won't function without it), and even then only after having a 
darn good reason and approval from Infosec after they audit the code.

As such, I am installing Hobbit as a normal user and get the following 
errors when I do "make install"

chown 0 /users/monitor/local/hobbit/client/bin/logfetch 
/users/monitor/local/hobbit/client/bin/clientupdate || echo ""
chown: changing ownership of 
`/users/monitor/local/hobbit/client/bin/logfetch': Operation not permitted
chown: changing ownership of 
`/users/monitor/local/hobbit/client/bin/clientupdate': Operation not 
permitted
chgrp 0 /users/monitor/local/hobbit/client/bin/logfetch 
/users/monitor/local/hobbit/client/bin/clientupdate || echo ""
chgrp: changing group of 
`/users/monitor/local/hobbit/client/bin/logfetch': Operation not permitted
chgrp: changing group of 
`/users/monitor/local/hobbit/client/bin/clientupdate': Operation not 
permitted

(There were also errors for "hobbitping", which I understand why that 
needs to be SUID.)

Can you tell me if these (logfetch and clientupdate) absolutely require 
being SUID root?

I believe logfetch does not, provided that the user that hobbit is 
running as has permissions to read the specified files. It's a lot 
easier to get the security ninjas to do "chmod o+r /var/log/messages" 
than it is to convince them to SUID "some code you downloaded off the 
internet".

What about "clientupdate". What does it do, and what does it use root 
access for?

*pause for RTFM* Oka I just read the logfetch and clientupdate man 
pages, which seems to have answered those questions. I will post it here 
for anyone else who was wondering the same thing:
---snip---
SUID ROOT INSTALLATION
       logfetch may be installed with suid-root privileges. This allows 
Hobbit
       to  monitor logfiles regardless of any access restrictions there 
may be
       in place for these files.

       If logfetch is not installed suid-root, it will of course only 
be  able
       to  monitor logs that it has read-access to. But logfetch will 
function
       without suid-root privileges.

       For security reasons, logfetch drops all root  privileges  
except  when
       opening  logfiles.  In particular, logfetch will not perform 
directory-
       utilitation scannings via the "du" command with root privileges,  
since
       an  external  command  is  used. It is therefore believed to be 
safe to
       install logfetch as suid-root.

       Note that if you choose to install logfetch with suid-root  
privileges,
       then  the  clientupdate utility will also need suid-root 
privileges, or
       these will be lost after an automated update of the client.

             When  installing  the new client software, any suid-root 
permis-
              sions set for the logfetch(1) utility were lost. The 
final  step
              is  to  re-establish  the  suid-root privileges for the 
logfetch
              utility, by  running  the  new  clientupdate  utility  
with  the
              "--suid-setup"  option.  This sets the logfetch utility to 
suid-
              root, if possible.

SUID-ROOT OPERATION
       clientupdate will attempt to perform some operations with  root  
privi-
       leges,  as  described  above. However, if it was not installed as 
suid-
       root initially, these operations  will  fail.  This  does  not  
prevent
       clientupdate  or  the  Hobbit  client from working - it just 
means that
       permissions needed by the Hobbit client will have to be  managed  
manu-
       ally, eg. you may need to modify permissions for logfiles such 
that the
       logfetch(1) utility can read them to check the logs. The Hobbit  
client
       is fully capable of running without any special privileges.
---snip---

So, correct me if I am wrong about any of these statements:
1. The ONLY hobbit binary that MUST be SUID root is "hobbitping" 
(because only root can send ICMP ECHO  packets).
2. "logfetch" is SUID root for ease of monitoring root-owned logfiles. 
It does not need to be SUID if the monitored files are readable by the 
hobbit user.
3. "clientupdate" is SUID in order to restore the SUID bit of 
"logfetch", when a client update is rolled out via the automated mechanism.

I should be able to convince the security folks to SUID hobbitping. Is 
there anything special about hobbitping itself, or can "fping" be used 
as a replacement?

The only other comment I have is, since the man page specifically says 
that logfetch and clientupdate do not need to be SUID, either "make 
install" should not fail because of the chown errors, or there should be 
a --no-suid option to tell the installer not to attempt to make those SUID.

More information about the Xymon mailing list