SUID question

Daniel J Walsh dwalsh at redhat.com
Wed Oct 8 15:04:00 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:
> On Tue, 2008-10-07 at 12:21 -0700, Richard Troy wrote:
> 
>> So, the more immediate problem: On a Fedora host, a "C" based program that
>> launches all the server functionality (including archiving) has its suid
>> bit set (and gid, too) so it runs as the server installation's owner. It's
>> actually pretty smart by validating its environment hasn't been hacked,
>> etc, and then gets to business. This code has somehow broken during a
>> couple of upgrades of Fedora - I didn't notice it at first because as the
>> developer, I always run it as the development installation's owner and as
>> a fluke apparently others haven't experienced this problem or haven't
>> reported it. Recently, however, someone else went to play with it and it
>> refused.  Some simple checks indicated that the SUID bit wasn't being
>> honored. The system has SELINUX installed but disabled - the kernel is
>> 2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored
>> but _why?_
> 
> fs mounted with nosuid?  this is not an selinux'ism....
> 
>> The less immediate issue is really a quest for pointers to the most
>> appropriate source packages so I can see how other programs solve similar
>> SELINUX related issues. Ideally, this code can both archive and restore
>> any file on the system. In addition, it currently - ignoring SELINUX for a
>> moment - tracks all meta-data changes - ownership and permissions, the
>> various dates associated with a file, etc, in addition to file data, so it
>> has the handy trait of both providing an audit trail and an ability to
>> restore data or meta-data as needed. As such it needs to be able to
>> discover what the security context details are so it can record them, in
>> addition to the obvious need to update SELINUX security details on a per
>> file basis.... I don't even know how to do that from the command line,
>> much less write a program to do it! ...However, I'm sure somewhere these
>> things have been already addressed, such as with tar, etc.
> 
> rsync I think was the first package to do this.  tar now has selinux
> label capabilities.  you can either get at it though the libselinux
> interfaces or directly use get/setxattr looking at the security.selinux
> namespace.  Assuming your program runs unconfined (as most things do by
> default if you don't write policy for them) selinux shouldn't be getting
> in your way of this type of operation.....
> 
> I don't think libselinux has much in the way of docs other than grabbing
> the code and looking at what interfaces it provides...
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You probably want to look at the following SELinux functions.


man getfilecon
man setfilecon
man setfscreatecon

# ls -lZ FILE

Will list the file context

# chcon CONTEXT FILE

Will change the context.

# restorecon FILE

Will ask the system what it should be labeled and make it so.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjsy+AACgkQrlYvE4MpobP/zgCg69jY4IRJChHB+mcS4jDn+Q/I
U8MAoNSVB0F5GQ4tttTVr8ZnouhMvAtf
=k1UZ
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list