I have finally read the to do list

Richard Lightman richard at reika.demon.co.uk
Thu Jan 18 05:48:23 PST 2001


Misquoted from Matthias Benkmann on 2001/01/17 at 22:28 +0000:
> 
> > I have an extra level of confusion: Packages are compiled by $build_user,
> > and installed by $install_user. That way some sneaky things cannot be done
> > during configure/make. $build_user has no special privileges. $install_user
> > needs to be in a group with write access all over the place.
> 
> This doesn't add any security. It is the "make install" that is dangerous, 
> not the actual build. And you don't get around doing that as some kind of 
> privileged user. Besides, the write access you're talking about is 
> extremely limited. If do
> 
> "su sed rm -r /"
> 
> I end up with my sed being deleted but that's all.

I could modify a package so that a payload of nasties is installed
by running 'configure' or 'make' as a privileged user. By doing these
steps as an unprivileged user, I only have to worry about misbehaviour
from 'make install', and the programs that it installs.

The benefit of this extra level of confusion is very small, but it
only costs you three lines of script. It cost me far too much time
to find out exactly what was required). It will also make my life
easier as I code parallel building, and 'which package installed
which trojan' logging.

>  
> > The source tarballs often come with unusual owners, groups and permissions.
> > These commands should fix things:
> > 
> > chown -R ${build_user}.bin . || echo broken links
> > find . -perm -200 -exec chmod g+w '{}' \;
> > find . -perm -100 -exec chmod g+x '{}' \;
> 
> What exactly do you want to achieve? The chown is not necessary as 
> unpacking the tarball automatically assigns ownership to the unpacker if 
> it is not root. And I don't see a reason for the 2 finds, either. Why do 
> you want the group bin to have extra permissions?
> 
Goals:
1) Unpack the sources from package.tar.bz2 to $BUILDDIR
2) Give $build_user just enough authority to 'configure' and 'make'
3) Give $install_user enough authority to 'make install'
4) 'bzip -cd package.tar.bz2 | ...' only once
5) Do not store a temporary copy of package.tar
6) Do not rely on package-1.2.3-tar.bz2 unpacking to ./package-1.2.3/

Problems:
1) The owners of the files specified by package.tar often useless.
2) The group and world permissions specified by package.tar are
   often not sufficient to 'configure', 'make' and 'make install'
   the package.

Assumptions:
1) If the owner of a file in package.tar does not have read, write
   or execute permissions, then those permission are not required
   for that file to 'configure', 'make' or 'make install' the package.
2) Any setuid, setgid or sticky bits mentioned in package.tar
   may be cleared.
3) The read access bit is set for either group or world when required

Attempt 1:
$build_user fails to 'tar -x' because he does not have write
permission for $BUILDDIR.

Attempt 2:
unpack_user does the 'tar -x', but cannot chown -R. His primary
group id build_group, and $build_user is in build_group.
Use the 'find's above to give $build_user the authority he
needs to do his tasks, and put $install_user in group
build_group.

This could be done but it is even more complicated than my
solution, and I see no advantages to it.

Solution:
root does the 'tar -x', makes $build_user the owner of the tree,
and makes bin the group for everything in the tree. Group 'bin'
gets the write and execute permissiions that $build_user has.
$install_user is in group bin, and I have modified the permissions
for many system directories. Eg:

/ root.bin  3775 bin boot etc lib sbin
/ root.root  750 root
/ root.root  555 proc
/ root.root  555 dev home mnt usr var
/ root.root 1777 tmp

/usr root.bin  3775 bin include games lib libexec sbin share
/usr root.root  755 src local
/usr/share root.bin     3775 dict doc info locale man nls misc terminfo zoneinfo
/usr/share/man root.bin 3775 man{1,2,3,4,5,6,7,8}

/usr/local root.bin   3775 bin include games lib libexec sbin share
/usr/local root.root   755 src
/usr/local/share root.bin     3775 dict doc info locale man nls misc terminfo zoneinfo
/usr/local/share/man root.bin 3775 man{1,2,3,4,5,6,7,8}

/var root.root  755 lock log run spool
/var root.root 1777 tmp

Richard
--
su sed -c 'ln -s /home/cracker/rootkit/bin/trojan /bin/bzip'
Do you type 'bzi<tab>' to uncompress archives?

-- 
Unsubscribe: send email to lfs-discuss-request at linuxfromscratch.org
and put unsubscribe in the subject header of the message




More information about the lfs-dev mailing list