Re: setuid root problem
Re: setuid root problem
- Subject: Re: setuid root problem
- From: Duane Murphy <email@hidden>
- Date: Thu, 27 Aug 2009 15:50:34 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Thanks for the response Terry.
As I noted, this tool is running from /Library/Frameworks. That's on
the system disk, so I expect that its mounted with "suid". :-)
Even after I manually set the suid bits (user and group), MoreSecurity
still decided to put up the Authorization dialog. This means that the
tool was not running as root.
That's why I am so confused.
To review the statements:
- - Is this a nosuid volume? No. This is the system volume, assuredly
mounted suid.
- - Is this run from a script? No, the tool is run using fork/exec.
Thank you for the ideas.
...Duane
On Aug 27, 2009, at 3:35 PM, Terry Lambert wrote:
> On Aug 27, 2009, at 11:41 AM, Duane Murphy wrote:
>> We have a product that uses an the older root tool helper process
>> from
>> MoreSecurity.
>>
>> We have installations of the product where the setuid-root bit
>> doesn't
>> seem to work. The program always asks for authentication (outside of
>> the 5 minute timeout period).
>>
>> The tool lives in a framework inside of /Library/Frameworks. On other
>> installations this works fine. On this installation, the setuid bit
>> seems to have no affect.
>>
>> The system is connected to Active Directory if that makes any
>> difference.
>>
>> What could be happening here? What situations would cause setuid-root
>> to fail to launch a tool as root?
>
> If you are using exactly the code in MoreSecurity, it specifically
> states that calling AuthorizationCopyRights() will result in a
> dialog because of the default rule in /etc/authorization.
>
> If you are running it from an FS with the "nosuid" mount option,
> then it won't launch SUID, even if those are the permissions (check
> the output of the "mount" command for the FS in question, but in
> general, any portable device like a thumb drive or any non-local
> device like an NFS FS will have "nosuid").
>
> If you are failing to call setuid(geteuid()) in the helper to set
> your saved, real and effective uid, the suid-ness will not be
> inherited by the child of the helper.
>
> If you are running a script instead of an actual binary, then the
> suid will always be ignored, unless the interpreter you are running
> it under is itself suid and capable of enforcing for/against suid-
> ness of the script (and it takes responsibility for the security
> when it does this; an example is suidperl).
>
> -- Terry
...Duane
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.10.0 (Build 500)
Charset: US-ASCII
wsBVAwUBSpcNwkrg9acQ4r2CAQgCfQf/bAFar5Z3C0OpYfTJ5JTwpoLVOQKrJFph
3nkt4GFmFgQM1cSB/93efutxpc1dpL8QilttUoRPerv1aDheCcHHNZx28PqnnpX8
uaTxtdMzmnGFH/k1cW5DUcimP/EfsOUU9parjbB7Wg2YSUBMRJigkm/k3svATfR3
R/BQmvJofJkhVKYcEq/LIweZWExnfGvTLfcLu0GqfMavkrvxTXLTirH6opAAyQXO
jqPMWIyQK5J6jLRnGWdgRQj224SRMl1CYd/q7TTAk/nLm1CNUZmyQljwxje8f63+
7D2r0zcGTR7GevjixolIZizMpGnwiK6NYkrdeJ6i4yPVigSYMboq/A==
=pilT
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden