reading /etc/bird.conf (bird 1.3.4)

22 Oct 2011

      Hi,

Would be good if bird was reading /etc/bird.conf before it drops
priviledges when -u user -g group is used.

Right now it first changes uid/gid to specified and then tries to open
bird.conf which will fail with my config:

-rw-r----- 1 root root 6002 10-10 18:26 /etc/bird.conf
and bird started with -u bird (uid=271) -g bird (gid=271).

What's worse is that bird won't start when running it from init
script at boot due to:
2441  open("/etc/bird.conf", O_RDONLY)  = -1 EACCES (Permission denied)

while it WILL start fine when doing the same thing from root@
ssh session (and that's because root belongs to root group which
has access to bird.conf and that isn't lost at setresuid/setgid).

strace at boot with additional capget and /proc/self/status reading
just before bird.conf open:

2441  setgid32(271)                     = 0
2441  setresuid32(-1, 271, -1)          = 0
2441  capset(0x20080522, 0, {CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW, CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|
CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
2441  prctl(PR_SET_KEEPCAPS, 1)         = 0
2441  setresuid32(271, 271, 271)        = 0
2441  fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(5, 1), ...}) = 0
2441  ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
2441  mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb784a000
2441  write(1, "crap\n", 5)             = 5
2441  capget(0x20080522, 0, NULL)       = 0
2441  capget(0x20080522, 0, {CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW, CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|
CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
2441  getresuid32([271], [271], [271])  = 0
2441  getresgid32([271], [271], [271])  = 0
2441  write(1, "crap2\n", 6)            = 6
2441  open("/proc/self/status", O_RDONLY) = 5
2441  read(5, "Name:\tbird\nState:\tR (running)\nTgid:\t2441\nPid:\t2441\nPPid:\t2436\nTracerPid:\t2436\nUid:\t271\t271\t271\t271\nGid:\t271\t271\t271\t271\nFDSize:\t32\nGroups:\t\nVmPeak:\t    
2588 kB\nVmSize:\t    2508 kB\nVmLck:\t       0 kB\nVmHWM:\t     752 kB\nVmRSS:\t     752 kB\nVmData:\t     180 kB\nVmStk:\t     132 kB\nVmExe:\t     308 kB\nVmLib:\t    1816 kB\nVmPTE:\t      
16 kB\nVmSwap:\t       0 kB\nThreads:\t1\nSigQ:\t0/26059\nSigPnd:\t0000000000000000\nShdPnd:\t0000000000000000\nSigBlk:\t0000000000000000\nSigIgn:\t0000000000000000\nSigCgt:
\t0000000180000000\nCapInh:\t0000000000000000\nCapPrm:\t0000000000003c00\nCapEff:\t0000000000003c00\nCapBnd:\tffffffffffffffff\nCpus_allowed:\tf\nCpus_allowed_list:
\t0-3\nMems_allowed:\t1\nMems_allowed_list:\t0\nVxID: 0\nNxID: 0\nvoluntary_ctxt_switches:\t282\nnonvoluntary_ctxt_switches:\t1\n", 4096) = 754
2441  open("/etc/bird.conf", O_RDONLY)  = -1 EACCES (Permission denied)

strace when doing start at ssh root@...:

3279  setgid32(271)                     = 0
3279  setresuid32(-1, 271, -1)          = 0
3279  capset(0x20080522, 0, {CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW, CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|
CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
3279  prctl(PR_SET_KEEPCAPS, 1)         = 0
3279  setresuid32(271, 271, 271)        = 0
3279  fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
3279  mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb789d000
3279  write(1, "crap\n", 5)             = 5
3279  capget(0x20080522, 0, NULL)       = 0
3279  capget(0x20080522, 0, {CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW, CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|
CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
3279  getresuid32([271], [271], [271])  = 0
3279  getresgid32([271], [271], [271])  = 0
3279  write(1, "crap2\n", 6)            = 6
3279  open("/proc/self/status", O_RDONLY) = 5
3279  read(5, "Name:\tbird\nState:\tR (running)\nTgid:\t3279\nPid:\t3279\nPPid:\t3275\nTracerPid:\t3275\nUid:\t271\t271\t271\t271\nGid:\t271\t271\t271\t271\nFDSize:\t32\nGroups:\t0 1 2 3 4 6 
10 \nVmPeak:\t    2588 kB\nVmSize:\t    2508 kB\nVmLck:\t       0 kB\nVmHWM:\t     752 kB\nVmRSS:\t     752 kB\nVmData:\t     180 kB\nVmStk:\t     132 kB\nVmExe:\t     308 kB\nVmLib:\t    1816 
kB\nVmPTE:\t      16 kB\nVmSwap:\t       0 kB\nThreads:\t1\nSigQ:\t0/26059\nSigPnd:\t0000000000000000\nShdPnd:\t0000000000000000\nSigBlk:\t0000000000000000\nSigIgn:
\t0000000000000000\nSigCgt:\t0000000180000000\nCapInh:\t0000000000000000\nCapPrm:\t0000000000003c00\nCapEff:\t0000000000003c00\nCapBnd:\tffffffffffffffff\nCpus_allowed:
\tf\nCpus_allowed_list:\t0-3\nMems_allowed:\t1\nMems_allowed_list:\t0\nVxID: 0\nNxID: 0\nvoluntary_ctxt_switches:\t277\nnonvoluntary_ctxt_switches:\t4\n", 4096) = 769
3279  open("/etc/bird.conf", O_RDONLY)  = 6

relevant difference:
-Groups:
+Groups:        0 1 2 3 4 6 10

So two things to do:
- open bird.conf before dropping privledges
- drop supplementary groups (or better set these groups based
on where user (specified at "-u user") belongs)

-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/

Arkadiusz Miśkiewicz

Henrique de Moraes Holschuh

Arkadiusz Miśkiewicz

Ondrej Zajicek

tags

participants (3)