httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] Opening ErrorLog as root and overwriting any file on the system
Date Thu, 24 Nov 2011 19:06:51 GMT


----- Original Message -----
> Hi Igor,
> 
> I think you are wrong.
> 
> I wrote this simple program that does what I suggested:
> #include <sys/types.h>
> #include <unistd.h>
> #include <stdio.h>
> 
> int main(int argc, char** argv){
> 
> uid_t low_uid = 1000;
> uid_t high_uid = getuid();
> 
> seteuid(low_uid); // drop privilege
> const char* fileName="test.txt";
> FILE* file = fopen(fileName, "w");
> if(file == NULL){
> printf("File doesn't exist or you don't have the right to write
> it\n");
> exit(1);
> }
> seteuid(high_uid); // regain privilege
> chown(fileName, high_uid, high_uid);
> fclose(file);
> }
> 
> It drops temporarily root privileges and then gets them back.
> 
> This is its output:
> $ ls -l test.txt
> -rw-rw-r-- 1 slv slv 0 2011-11-24 19:17 test.txt
> $ sudo ./uid //this is what the program above is compiled to
> $ ls -l test.txt
> -rw-rw-r-- 1 root root 0 2011-11-24 19:17 test.txt
> $ ./uid
> File doesn't exist or you don't have the right to write it
> $ ls -l test.txt
> -rw-rw-r-- 1 root root 0 2011-11-24 19:17 test.txt
> 
> Best regards,
> Silviu


I was startled at first, but only because I didn't see exactly
what you were doing.

Fortunately I spend all day long on IRC, so rather thank actually
trying it out and thinking about it, I just asked ##posix:

19:31:41 < jMCg> so... setuid() works both ways?
19:31:45 < jMCg> How's that make sense?
19:34:41 < Wulf> what's the question?
19:37:19 < jMCg> Wulf: sec
19:38:14 < jMCg> Wulf: http://mail-archives.apache.org/mod_mbox/httpd-users/201111.mbox/%3cCAO7OZ=NAjM-_cA_w8WFXtF=WDwuShY-Vb3E+9utUoGqEDMncJg@mail.gmail.com%3e
19:38:38 < jMCg> This doesn't make sense to me, why is possible to *regain* privileges
once you dropped them?
19:42:41 < Wulf> saved user id
19:42:59 < woggle> jMCg: POSIX keeps track of three uids per process; the effective
UID, the real UID and the saved UID. Either the latter two can be copied into the 
                   first.
19:44:44 < woggle> You'll notice that the example that person gave did _not_ use setuid().
19:57:07 < jMCg> True.
19:57:17 < jMCg> woggle: I missed that in my mail client.

So long,

i

> 2011/11/24 Igor Galić < i.galic@brainsware.org >
> 
> 
> 
> 
> 
> ----- Original Message -----
> > > <DevilsAdvocate>
> > > What would it do when the file already exists and is owned by
> > > root?
> > > :)
> > > </DevilsAdvocate>
> > > 
> > > It is hard to distinguish between "file owned by root, but we
> > > should
> > > append to it" and "file owned by root and the admin made a
> > > mistake
> > > in
> > > the conf file". The former is the usual case when starting a
> > > server
> > > with pre-existing log files, the latter is the case you are
> > > trying
> > > to
> > > avoid.
> > > 
> > True. However, assuming that when Apache terminates, the owner of
> > the
> > error log is set to be ${APACHE_RUN_USER}, then the problem of not
> > being able to access the file manifests only on the first run.
> > <SillyIdea>
> > Dear httpd admin, the ${ErrorLog} file can be opened only by root.
> > Wanna continue?
> > If yes, raise privileges this time only. There's not going to be a
> > next time.
> 
> To repeat this again, just in case:
> 
> Privileges can only ever be *dropped*
> Privileges can *never* be raised. This is by design.
> 
> 
> > </SillyIdea>
> > 
> > All in all, I see your point. It's more of a maintenance issue.
> > 
> > Thanks for the answers,
> > Silviu
> > > Cheers
> > > 
> > > Tom
> > > 
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> > > Project.
> > > See <URL: http://httpd.apache.org/userslist.html > for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > > 
> > 
> > 
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See <URL: http://httpd.apache.org/userslist.html > for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> > 
> > 
> 
> 
> --
> Igor Galić
> 
> Tel: +43 (0) 664 886 22 883
> Mail: i.galic@brainsware.org
> URL: http://brainsware.org/
> GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL: http://httpd.apache.org/userslist.html > for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message