Thread: Fwd: init scripts and su

Fwd: init scripts and su

From

Peter Eisentraut

Date:

06 August 2004, 03:41:15

For your amusement...

-- 
Peter Eisentraut
http://developer.postgresql.org/~petere/
The start scripts for some daemons do "su - user" or use
"start-stop-daemon -c" to launch the daemon, postgresql is one example.

During the time between the daemon launch and it closing it's file handles and 
calling setsid(2) (which some daemons don't do because they are buggy) any 
other code running in the same UID could take over the process via ptrace, 
fork off a child process that inherits the administrator tty, and then stuff 
characters into the keyboard buffer with ioctl(fd,TIOCSTI,&c) (*).

To address these issues for Fedora I have written a program named init_su.

init_su closes all file handles other than 1 and 2 (stdout and stderr).  File
handles 1 and 2 are fstat()'d, if they are regular files or pipes then they
are left open (no attack is possible through a file or pipe), otherwise they
are closed and /dev/null is opened instead.  /dev/null is opened for file
handle 0 regardless of what it might have pointed to previously.  Then
setsid() is called to create a new session for the process (make it a group
leader), this invalidates /dev/tty.  Then the uid is changed and the daemon
is started.


I have attached the source code to init_su, please check it out and tell me
what you think.  After the discussion concludes I will write a patch for 
start-stop-daemon to give similar functionality.


(*)  On system boot and shutdown there is no problem.  It's when the
administrator uses /etc/init.d/postgresql to start or stop the database that
there is potential for attack.


http://www.redhat.com/archives/fedora-devel-list/2004-July/msg01314.html

I have also started a similar discussion on the Fedora development list about 
this issue, see the above URL.

--
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Fwd: init scripts and su

From

Tom Lane

Date:

06 August 2004, 04:44:03

Peter Eisentraut <peter_e@gmx.net> writes:
> For your amusement...

> During the time between the daemon launch and it closing it's file
> handles and calling setsid(2) (which some daemons don't do because
> they are buggy) any other code running in the same UID could take over
> the process via ptrace, fork off a child process that inherits the
> administrator tty, and then stuff characters into the keyboard buffer
> with ioctl(fd,TIOCSTI,&c) (*).

(a) And there would be untrusted code running as postgres exactly why?

(b) Seems to me the real security bug here is the mere existence of that   ioctl call.
        regards, tom lane

Re: Fwd: init scripts and su

From

Christopher Kings-Lynne

Date:

06 August 2004, 04:53:44

>>During the time between the daemon launch and it closing it's file
>>handles and calling setsid(2) (which some daemons don't do because
>>they are buggy) any other code running in the same UID could take over
>>the process via ptrace, fork off a child process that inherits the
>>administrator tty, and then stuff characters into the keyboard buffer
>>with ioctl(fd,TIOCSTI,&c) (*).
> 
> 
> (a) And there would be untrusted code running as postgres exactly why?
> 
> (b) Seems to me the real security bug here is the mere existence of that
>     ioctl call.

I was asked on IRC just why we can't have user=postgres and 
group=postgres in the postgresql.conf, and simply when we are run as 
root, switch to that user and group.

Chris

Re: Fwd: init scripts and su

From

Tom Lane

Date:

06 August 2004, 05:06:47

Christopher Kings-Lynne <chriskl@familyhealth.com.au> writes:
> I was asked on IRC just why we can't have user=postgres and 
> group=postgres in the postgresql.conf, and simply when we are run as 
> root, switch to that user and group.

I should think that running as root up until sometime after we have read
postgresql.conf would open up more security issues.  It's certainly not
a way to close this one...
        regards, tom lane

Re: Fwd: init scripts and su

From

Andreas Pflug

Date:

06 August 2004, 07:51:01

Tom Lane wrote:
> Christopher Kings-Lynne <chriskl@familyhealth.com.au> writes:
> 
>>I was asked on IRC just why we can't have user=postgres and 
>>group=postgres in the postgresql.conf, and simply when we are run as 
>>root, switch to that user and group.
> 
> 
> I should think that running as root up until sometime after we have read
> postgresql.conf would open up more security issues.  It's certainly not
> a way to close this one...
> 

postmaster could use postgres/postgres by default, overridable by 
command line.

Regards,
Andreas

Re: Fwd: init scripts and su

From

Peter Eisentraut

Date:

09 August 2004, 08:17:14

Tom Lane wrote:
> (a) And there would be untrusted code running as postgres exactly
> why?

Because someone has cracked the PostgreSQL server.

> (b) Seems to me the real security bug here is the mere existence of
> that ioctl call.

Probably.  I'm just pointing out the findings about the environment 
we're operating in.  The fact is that right now "run as postgres to 
protect your root account" won't work on some systems and with 
unfortunately written init scripts.

-- 
Peter Eisentraut
http://developer.postgresql.org/~petere/