SUID question
Eric Paris
eparis at redhat.com
Tue Oct 7 20:49:01 UTC 2008
On Tue, 2008-10-07 at 12:21 -0700, Richard Troy wrote:
> So, the more immediate problem: On a Fedora host, a "C" based program that
> launches all the server functionality (including archiving) has its suid
> bit set (and gid, too) so it runs as the server installation's owner. It's
> actually pretty smart by validating its environment hasn't been hacked,
> etc, and then gets to business. This code has somehow broken during a
> couple of upgrades of Fedora - I didn't notice it at first because as the
> developer, I always run it as the development installation's owner and as
> a fluke apparently others haven't experienced this problem or haven't
> reported it. Recently, however, someone else went to play with it and it
> refused. Some simple checks indicated that the SUID bit wasn't being
> honored. The system has SELINUX installed but disabled - the kernel is
> 2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored
> but _why?_
fs mounted with nosuid? this is not an selinux'ism....
> The less immediate issue is really a quest for pointers to the most
> appropriate source packages so I can see how other programs solve similar
> SELINUX related issues. Ideally, this code can both archive and restore
> any file on the system. In addition, it currently - ignoring SELINUX for a
> moment - tracks all meta-data changes - ownership and permissions, the
> various dates associated with a file, etc, in addition to file data, so it
> has the handy trait of both providing an audit trail and an ability to
> restore data or meta-data as needed. As such it needs to be able to
> discover what the security context details are so it can record them, in
> addition to the obvious need to update SELINUX security details on a per
> file basis.... I don't even know how to do that from the command line,
> much less write a program to do it! ...However, I'm sure somewhere these
> things have been already addressed, such as with tar, etc.
rsync I think was the first package to do this. tar now has selinux
label capabilities. you can either get at it though the libselinux
interfaces or directly use get/setxattr looking at the security.selinux
namespace. Assuming your program runs unconfined (as most things do by
default if you don't write policy for them) selinux shouldn't be getting
in your way of this type of operation.....
I don't think libselinux has much in the way of docs other than grabbing
the code and looking at what interfaces it provides...
More information about the fedora-selinux-list
mailing list