socket

Pavel Kankovsky peak na kerberos.troja.mff.cuni.cz
Čtvrtek Září 3 16:39:29 CEST 1998


On Thu, 3 Sep 1998, Petr Stanek wrote:

> Kde se da povolit noroot uzivateli otevreni socketu?

Jak ktereho.
> 
> [0 snek na penguin sbin]$ ./netwatch
> Can't get socket: : Operation not permitted
> [1 snek na penguin sbin]$

predpokladam, ze to dela neco jako socket(..., SOCK_RAW,...)
to neni z pochopitelnych duvodu povoleno kazdemu (narozdil treba od
socket(..., SOCK_STREAM,...)), ale na planete unix ziji pouze dva druhy
obyvatel: koreni a nekoreni (*), takze je to povoleno pouze korenum... :)

dosti humoru: existuje takovy vtipny patch, ktery byl ve Phracku cislo asi
51, ktery umoznuje, aby podobne veci provadeli i nekoreni, maji-li spravny
gid (verzi, ze ktere je vykuchano vsechno, co tam nepatri, prikladam),
jina moznost je vrhnout se na 2.1.x pro dostatecne vysoka x, kde
by to mela byt specialni "capability" (2)

to, co navrhovali ostatni (chmod u+s (3)) je taky mozne, ale ponekud
riskantni, jestlize se nelze spolehnout na absolutni duveryhodnost vsech
uzivatelu


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"You can't be truly paranoid unless you're sure they have already got you."


(1) ko\v{r}eni a neko\v{r}eni
(2) nezamenovat s opravdovymi capabilities, jako jsou treba v KeyKOSu
(3) root musi byt vlastnikem toho souboru


----[  The Patches

GID split privilege patch
-------------------------------
Tested on:  2.0.30 +
Author:     Original version DaveG, updated for 2.0.33 by route

    From the documentation accompanying Dave's original patch:
This is a simple kernel patch that allows you to perform certain
privileged operations with out requiring root access.  With this patch
three groups become privileged groups allowed to do different operations
within the kernel.

GID 16 : a program running with group 16 privileges can bind to a
         < 1024.  This allows programs like: rlogin, rcp, rsh, and ssh
         to run setgid 16 instead of setuid 0(root).  This also allows
         servers that need to run as root to bind to a privileged port
         like named, to also run setgid 16.

GID 17 : any program running under GID 17 privileges will be able to
         create a raw socket.  Programs like ping and traceroute can now
         be made to run setgid 17 instead of setuid 0(root).

GID 18 : This group is for SOCK_PACKET.  This isn't useful for most people,
         so if you don't know what it is, don't worry about it.

Limitations
-----------
Since this is a simple patch, it is VERY limited.  First of all, there
is no support for supplementary groups.  This means that you can't stack
these privileges.  If you need GID 16 and 17, there isn't much you can do
about it.



----[  Installation 


    This patchfile has been tested and verified to work against the latest
stable release of the linux kernel (as of this writing, 2.0.33).  It should
work against other 2.0.x releases as well with little or no modification.  THIS
IS NOT A GUARANTEE!  Please do not send me your failed patch logs from older
kernels.  Take this as a perfect opportunity to upgrade your kernel to the
latest release.  Note that several of these patches are for X86-Linux only.
Sorry.

1.  Create the symlink:

        `cd /usr/src`
        `ln -s linux-KERNEL_VERSION linux-stock`

2.  Apply the kernel patch:

        `patch < slinux.patch >& patch.err`

2a. Examine the error file for any failed hunks.  Figure where you went wrong
    in life:

        `grep fail patch.err`

3.  Configure your kernel:

        `make config` OR `make menu-config` OR `make xconfig`

4.  You will need to enable prompting for experimental code in your kernel and
    turn on the patches individually.

5.  To configure the split GID privilege patch, add the follow to your
    /etc/group file:

        `cat >> /etc/group`
          priv_port::16:user1, user2, user3
          raw_sock::17:user1, user2
          sock_pak::18:user2, user3
        ^D

    Where `userx` are the usernames of the users you wish to give these
    permissions to.  Next, fix the corresponding group and permissions on the 
    binaries you wish to strip root privileges from:

        `chgrp raw_sock /bin/ping`
        `chmod 2755 /bin/ping`



----[  The patchfile


    This patchfile should be extracted with the Phrack Magazine Extraction
Utility included in this (and every) issue.

<++> slinux.patch
diff -ru linux-stock/Documentation/Configure.help linux-patched/Documentation/Configure.help
--- linux-stock/Documentation/Configure.help	Fri Sep  5 20:43:58 1997
+++ linux-patched/Documentation/Configure.help	Mon Nov 10 22:02:36 1997
@@ -720,6 +720,16 @@
   later load the module when you install the JDK or find an interesting
   Java program that you can't live without.
 
+Split Network Groups (EXPERIMENTAL)
+CONFIG_SPLIT_GID  
+  This is a simple kernel patch that allows you to perform certain
+  privileged operations with out requiring root access.  With this patch
+  three groups become privileged groups allowed to do different operations
+  within the kernel.
+  GID 16 allows programs to bind to privledged ports.
+  GID 17 allows programs to open raw sockets.
+  GID 18 allows programs to open sock packets.
+
 Processor type
 CONFIG_M386
   This is the processor type of your CPU. It is used for optimizing
--- linux-stock/arch/i386/config.in	Sun May 12 21:17:23 1996
+++ linux-patched/arch/i386/config.in	Sun Nov  9 12:38:27 1997
@@ -35,6 +35,7 @@
 tristate 'Kernel support for ELF binaries' CONFIG_BINFMT_ELF
 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
   tristate 'Kernel support for JAVA binaries' CONFIG_BINFMT_JAVA
+  bool '   Split Network GIDs (EXPERIMENTAL)' CONFIG_SPLIT_GID
 fi
 bool 'Compile kernel as ELF - if your GCC is ELF-GCC' CONFIG_KERNEL_ELF
 
diff -ru linux-stock/arch/i386/defconfig linux-patched/arch/i386/defconfig
--- linux-stock/arch/i386/defconfig	Mon Sep 22 13:44:01 1997
+++ linux-patched/arch/i386/defconfig	Sun Nov  9 12:38:23 1997
@@ -24,6 +24,7 @@
 CONFIG_SYSVIPC=y
 CONFIG_BINFMT_AOUT=y
 CONFIG_BINFMT_ELF=y
+CONFIG_SPLIT_GID=y
 CONFIG_KERNEL_ELF=y
 # CONFIG_M386 is not set
 # CONFIG_M486 is not set
diff -ru linux-stock/net/ipv4/af_inet.c linux-patched/net/ipv4/af_inet.c
--- linux/net/ipv4/af_inet.c	Fri Aug 15 12:23:23 1997
+++ linux-stock/net/ipv4/af_inet.c	Mon Dec 29 18:05:29 1997
@@ -111,6 +111,15 @@
 
 #define min(a,b)	((a)<(b)?(a):(b))
 
+#ifdef  CONFIG_SPLIT_GID
+/* 
+ *  Priveleged group ids
+ */
+#define PROT_SOCK_GID   16
+#define RAW_SOCK_GID    17
+#define PACKET_SOCK_GID 18
+#endif  /* CONFIG_SPLIT_GID */
+
 extern struct proto packet_prot;
 extern int raw_get_info(char *, char **, off_t, int, int);
 extern int snmp_get_info(char *, char **, off_t, int, int);
@@ -435,8 +444,26 @@
 		sk->no_check = UDP_NO_CHECK;
 		prot=&udp_prot;
 	} else if(sock->type == SOCK_RAW || sock->type == SOCK_PACKET) {
+#ifdef  CONFIG_SPLIT_GID
+                /*
+                 *  If we are not the super user, check to see if we have the
+                 *  corresponding special group priviledge.
+                 */ 
+                if (!suser())
+                {
+                    if (sock->type == SOCK_RAW && current->egid != RAW_SOCK_GID)
+                    {
+                        goto free_and_badperm;
+                    }
+                    else if (sock->type == SOCK_PACKET && current->egid != PACKET_SOCK_GID)
+                    {
+                        goto free_and_badperm;
+                    }
+                }
+#else
 		if (!suser()) 
 			goto free_and_badperm;
+#endif  /* CONFIG_SPLIT_GID */
 		if (!protocol) 
 			goto free_and_noproto;
 		prot = &raw_prot;
@@ -621,7 +648,11 @@
 	if (snum == 0) 
 		snum = sk->prot->good_socknum();
         if (snum < PROT_SOCK) {
+#ifdef  CONFIG_SPLIT_GID
+		if (!suser() && current->egid != PROT_SOCK_GID) 
+#else
 		if (!suser()) 
+#endif  /* CONFIG_SPLIT_GID */
 		return(-EACCES);
 		if (snum == 0)
 			return(-EAGAIN);
<-->


----[  EOF






Další informace o konferenci Linux