IPX without suidroot

IPX without suidroot

[Grigory Batalov]

Hello.
I've found that latest kernel from FreeDOS works fine with
my VLM.EXE as DR-DOS did before. So I can build custom
dosemu-freedos-bin.tgz and use it.

Only question I have: "Can I use IPX while being simple user
without any sudo or suidroot?"

It seems that I can't. Vlm writes "server not found", but
it finds them when I start dosemu as root.

Maybe, I'm doing something wrong? Can you point me?

--
Grigory Batalov.

IPX without suidroot

[Reinhard Karcher]

On Thu, Aug 01, 2002 at 02:36:33PM +0400, Grigory Batalov wrote
> Only question I have: "Can I use IPX while being simple user
> without any sudo or suidroot?"
> 
As far as I know, it is not possible. Dosemu has to create sockets
of the IPX-type, and thagt can't be done without rootpriviledges.

Reinhard
 

Re: IPX without suidroot

[Stas Sergeev]

[-- Attachment #1: Type: text/plain, Size: 845 bytes --]

Hello.

Reinhard Karcher wrote:
>> Only question I have: "Can I use IPX while being simple user
>> without any sudo or suidroot?"
>  As far as I know, it is not possible. Dosemu has to create sockets
>  of the IPX-type, and thagt can't be done without rootpriviledges.
I *think* (without too much knowledge
of an IPX networking) that this is
possible.
I have traced the IPXOpenSocket()
and the only place which fails without
root is setting SO_DEBUG opt to
socket which is used only for
debugging and must not fail, so it's
a bug.
For everything else root doesn't
seem to be required.
I started doom's ipxsetup and it
doesn't complain, log indicates
that packets are floating OK.
So I think IPX must work without
root.
And if not, Grigory or Reinhard,
please apply the attached patch
and produce a -D9+n log and also
cat /proc/net/ipx_interface

[-- Attachment #2: ipx_root.diff --]
[-- Type: text/plain, Size: 802 bytes --]

--- src/dosext/net/net/ipx.c	Fri Jul 19 02:04:37 2002
+++ src/dosext/net/net/ipx.c	Thu Aug  1 17:30:44 2002
@@ -443,17 +443,14 @@
   }
 
   opt = 1;
-  /* turn on socket debugging */
-  if (debug_level('n')) {
+  /* turn on socket debugging - requires root! */
+  if (debug_level('n') && can_do_root_stuff) {
     enter_priv_on();
-    if (setsockopt(sock, SOL_SOCKET, SO_DEBUG, &opt, sizeof(opt)) == -1) {
-      leave_priv_setting();
+    if (setsockopt(sock, SOL_SOCKET, SO_DEBUG, &opt, sizeof(opt)) == -1)
       n_printf("IPX: could not set socket option for debugging: %s.\n", strerror(errno));
-      /* I can't think of anything else to return */
-      return (RCODE_SOCKET_TABLE_FULL);
-    }
     leave_priv_setting();
   }
+
   opt = 1;
   /* Permit broadcast output */
   enter_priv_on();

Re: IPX without suidroot

[Grigory Batalov]

On Thu, 01 Aug 2002 18:02:58 +0400
Stas Sergeev <stssppnn@yahoo.com> wrote:

> So I think IPX must work without
> root.
> And if not, Grigory or Reinhard,
> please apply the attached patch
> and produce a -D9+n log and also
> cat /proc/net/ipx_interface

   Ok, I've applied patch and can get some debug now.

   While doing as root:
 http://lrn.ru/~bga/dosemu/good-boot.log.bz2        8213
 (Server was found and attached.)

   While being simple user:
 http://lrn.ru/~bga/dosemu/notfound-boot.log.bz2   27386
 (I see some network traffic on Gkrellm, bigger than
 usual, but server wasn't found. In log it looks like I can't
 get RIP packets if I haven't root privilegies.)

$ cat /proc/net/ipx_interface
Network    Node_Address   Primary  Device     Frame_Type
00000002   0004761CBCA8   Yes      eth0       802.2

-- 
 Grigory Batalov.

Re: IPX without suidroot

[Stas Sergeev]

[-- Attachment #1: Type: text/plain, Size: 339 bytes --]

Hello.

Grigory Batalov wrote:
> Ok, I've applied patch and can get some debug now.
Good. But I still don't like that
debuggung tricks so I think just
ripping out the buggy code is OK.

> get RIP packets if I haven't root privilegies.)
Seems like that.
Please apply the attached patch
instead of the previous one and
redo the log please.


[-- Attachment #2: ipx_root.diff --]
[-- Type: text/plain, Size: 2046 bytes --]

--- src/dosext/net/net/ipx.c	Fri Jul 19 02:04:37 2002
+++ src/dosext/net/net/ipx.c	Thu Aug  1 17:30:44 2002
@@ -443,18 +443,6 @@
   }
 
   opt = 1;
-  /* turn on socket debugging */
-  if (debug_level('n')) {
-    enter_priv_on();
-    if (setsockopt(sock, SOL_SOCKET, SO_DEBUG, &opt, sizeof(opt)) == -1) {
-      leave_priv_setting();
-      n_printf("IPX: could not set socket option for debugging: %s.\n", strerror(errno));
-      /* I can't think of anything else to return */
-      return (RCODE_SOCKET_TABLE_FULL);
-    }
-    leave_priv_setting();
-  }
-  opt = 1;
   /* Permit broadcast output */
   enter_priv_on();
   if (setsockopt(sock, SOL_SOCKET, SO_BROADCAST,
--- src/dosext/net/net/ipxglt.c	Tue Mar 19 19:45:49 2002
+++ src/dosext/net/net/ipxglt.c	Fri Aug  2 16:29:20 2002
@@ -107,21 +107,16 @@
 	leave_priv_setting();
 	if(sock==-1)
 	{
+		n_printf("IPX: could not open IPX socket: %s.\n", strerror(errno));
 		goto GLTExit;
 	}
 	
-	/* Socket debugging */
 	enter_priv_on();
-	if(setsockopt(sock,SOL_SOCKET,SO_DEBUG,&opt,sizeof(opt))==-1)
-	{
-		leave_priv_setting();
-		goto CloseGLTExit;
-	}
-	
 	/* Permit broadcast output */
 	if(setsockopt(sock,SOL_SOCKET,SO_BROADCAST, &opt,sizeof(opt))==-1)
 	{
 		leave_priv_setting();
+		n_printf("IPX: could not set socket option for broadcast: %s.\n", strerror(errno));
 		goto CloseGLTExit;
 	}
 	
@@ -133,6 +128,7 @@
 	if(setsockopt(sock,SOL_SOCKET,IPX_TYPE,&opt,sizeof(opt))==-1)
 	{
 		leave_priv_setting();
+		n_printf("IPX: could not set socket option for type: %s.\n", strerror(errno));
 		goto CloseGLTExit;
 	}
 	
@@ -143,6 +139,7 @@
 	if(bind(sock,(struct sockaddr *)&ipxs,sizeof(ipxs))==-1)
 	{
 		leave_priv_setting();
+		n_printf("IPX: could not bind socket to address: %s\n", strerror(errno));
 		goto CloseGLTExit;
 	}
 	leave_priv_setting();
@@ -172,6 +169,7 @@
 	        {
 			leave_priv_setting();
                         retCode = -2;
+			n_printf("IPX: sendto() failed: %s\n", strerror(errno));
         		goto CloseGLTExit;
 	        }
 		leave_priv_setting();

Re: IPX without suidroot

[Grigory Batalov]

On Fri, 02 Aug 2002 16:38:40 +0400
Stas Sergeev <stssppnn@yahoo.com> wrote:

> > get RIP packets if I haven't root privilegies.)

> Seems like that.
> Please apply the attached patch
> instead of the previous one and
> redo the log please.

  It's here:
http://lrn.ru/~bga/dosemu/denied-boot.log.bz2 (28244)

  There are such pieces:

IPX: GetLocalTarget for network cb971126                                                                                
IPX: could not set socket option for type: Permission denied.                                                           
IPX: GetLocalTarget failed.                                                                                             

-- 
 Batalov Grigory.

Re: IPX without suidroot

[Stas Sergeev]

[-- Attachment #1: Type: text/plain, Size: 308 bytes --]

Hello.

Grigory Batalov wrote:
> IPX: GetLocalTarget for network cb971126
> IPX: could not set socket option for type: Permission denied.
> IPX: GetLocalTarget failed.
Very good, now please try this
patch and log again:)
Sorry, I don't have a testcase
for that problem, but eventually
this might be ended...

[-- Attachment #2: ipx_root.diff --]
[-- Type: text/plain, Size: 2172 bytes --]

--- src/dosext/net/net/ipx.c	Fri Jul 19 02:04:37 2002
+++ src/dosext/net/net/ipx.c	Thu Aug  1 17:30:44 2002
@@ -443,18 +443,6 @@
   }
 
   opt = 1;
-  /* turn on socket debugging */
-  if (debug_level('n')) {
-    enter_priv_on();
-    if (setsockopt(sock, SOL_SOCKET, SO_DEBUG, &opt, sizeof(opt)) == -1) {
-      leave_priv_setting();
-      n_printf("IPX: could not set socket option for debugging: %s.\n", strerror(errno));
-      /* I can't think of anything else to return */
-      return (RCODE_SOCKET_TABLE_FULL);
-    }
-    leave_priv_setting();
-  }
-  opt = 1;
   /* Permit broadcast output */
   enter_priv_on();
   if (setsockopt(sock, SOL_SOCKET, SO_BROADCAST,
--- src/dosext/net/net/ipxglt.c	Tue Mar 19 19:45:49 2002
+++ src/dosext/net/net/ipxglt.c	Fri Aug  2 16:29:20 2002
@@ -107,21 +107,16 @@
 	leave_priv_setting();
 	if(sock==-1)
 	{
+		n_printf("IPX: could not open IPX socket: %s.\n", strerror(errno));
 		goto GLTExit;
 	}
 	
-	/* Socket debugging */
 	enter_priv_on();
-	if(setsockopt(sock,SOL_SOCKET,SO_DEBUG,&opt,sizeof(opt))==-1)
-	{
-		leave_priv_setting();
-		goto CloseGLTExit;
-	}
-	
 	/* Permit broadcast output */
 	if(setsockopt(sock,SOL_SOCKET,SO_BROADCAST, &opt,sizeof(opt))==-1)
 	{
 		leave_priv_setting();
+		n_printf("IPX: could not set socket option for broadcast: %s.\n", strerror(errno));
 		goto CloseGLTExit;
 	}
 	
@@ -130,9 +125,10 @@
 	   
 	opt=4;		/* Remember no htons! - its a byte */
 	
-	if(setsockopt(sock,SOL_SOCKET,IPX_TYPE,&opt,sizeof(opt))==-1)
+	if (setsockopt(sock, SOL_IPX, IPX_TYPE, &opt, sizeof(opt)) == -1)
 	{
 		leave_priv_setting();
+		n_printf("IPX: could not set socket option for type: %s.\n", strerror(errno));
 		goto CloseGLTExit;
 	}
 	
@@ -143,6 +139,7 @@
 	if(bind(sock,(struct sockaddr *)&ipxs,sizeof(ipxs))==-1)
 	{
 		leave_priv_setting();
+		n_printf("IPX: could not bind socket to address: %s\n", strerror(errno));
 		goto CloseGLTExit;
 	}
 	leave_priv_setting();
@@ -172,6 +169,7 @@
 	        {
 			leave_priv_setting();
                         retCode = -2;
+			n_printf("IPX: sendto() failed: %s\n", strerror(errno));
         		goto CloseGLTExit;
 	        }
 		leave_priv_setting();

Re: IPX without suidroot

[Grigory Batalov]

On Fri, 02 Aug 2002 18:37:08 +0400
"Stas Sergeev" <stssppnn@yahoo.com> wrote:

> > IPX: GetLocalTarget for network cb971126
> > IPX: could not set socket option for type: Permission denied.
> > IPX: GetLocalTarget failed.

> Very good, now please try this
> patch and log again:)
> Sorry, I don't have a testcase
> for that problem, but eventually
> this might be ended...

  Next one =) :

http://lrn.ru/~bga/dosemu/filure-boot.log.bz2 (27829)

  What I've found:

IPX: request number 0x2
IPX: GetLocalTarget for network cb971126
IPX: Received RIP information for network 261197cb
IPX: Failure -2 adding route <261197cb through 00000002:000102877d41>
IPX: GetLocalTarget failed.

-- 
 Grigory Batalov.

Re: IPX without suidroot

[Stas Sergeev]

Hello.

Grigory Batalov wrote:
> IPX: GetLocalTarget for network cb971126
> IPX: Received RIP information for network 261197cb
This time it finally received
RIP, good!

> IPX: Failure -2 adding route <261197cb through 00000002:000102877d41>
Ouch, and this time it comes to
the place which really requires
root (CAP_NET_ADMIN capability)...
Is this possible to set that route
manually (being root)?
Maybe something like
ipx_route add 261197cb 02 102877d41
will do the trick?

But even that may not help.
Currently dosemu doesn't check if
the route exists *before* adding
it, so it still may fail.
To do the check /proc/net/ipx_route
must be parsed, but this is not
what I can do without an ability
to test the changes...
Anyway there were several bugs
discovered, so I'd like to bring
that investigation to some conclusion.
So if adding route manually doesn't
help, could you please (only for testing
purposes) remove the
if (!capable(CAP_NET_ADMIN))
  return -EPERM;
from kernel's af_ipx.c:2403
(ipx_ioctl() ).
I want to know if my patch
really works and if there is
nothing more standing in the way...

Re: IPX without suidroot

[Grigory Batalov]

On Fri, 02 Aug 2002 21:19:38 +0400
"Stas Sergeev" <stssppnn@yahoo.com> wrote:

> > IPX: Failure -2 adding route <261197cb through 00000002:000102877d41>
> Ouch, and this time it comes to
> the place which really requires
> root (CAP_NET_ADMIN capability)...
> Is this possible to set that route
> manually (being root)?
> Maybe something like
> ipx_route add 261197cb 02 102877d41
> will do the trick?

  It is set already:

$ cat /proc/net/ipx_route 
Network    Router_Net   Router_Node
261197CB   00000002     000102877D41
00000002   Directly     Connected

  I think this route was added when I started
  dosemu as root before.

> But even that may not help.

  I see.

> Currently dosemu doesn't check if
> the route exists *before* adding
> it, so it still may fail.
> To do the check /proc/net/ipx_route
> must be parsed, but this is not
> what I can do without an ability
> to test the changes...
> Anyway there were several bugs
> discovered, so I'd like to bring
> that investigation to some conclusion.

> So if adding route manually doesn't
> help, could you please (only for testing
> purposes) remove the
> if (!capable(CAP_NET_ADMIN))
>   return -EPERM;
> from kernel's af_ipx.c:2403
> (ipx_ioctl() ).

  Sure. Next week I'll do it and post results.

> I want to know if my patch
> really works and if there is
> nothing more standing in the way...

-- 
 Grigory Batalov.

Re: IPX without suidroot

[Grigory Batalov]

On Fri, 02 Aug 2002 21:19:38 +0400
Stas Sergeev <stssppnn@yahoo.com> wrote:

> So if adding route manually doesn't
> help, could you please (only for testing
> purposes) remove the
> if (!capable(CAP_NET_ADMIN))
>   return -EPERM;
> from kernel's af_ipx.c:2403
> (ipx_ioctl() ).
> I want to know if my patch
> really works and if there is
> nothing more standing in the way...

 Yes, it works.
 In 2.2.20 custom kernel it is in line 2283:

                case SIOCADDRT:
                case SIOCDELRT:
//                      if(!capable(CAP_NET_ADMIN))
//                              return (-EPERM);
                        return (ipxrtr_ioctl(cmd,(void *)arg));

 Again, log is here:
 http://lrn.ru/~bga/dosemu/attached-boot.log.bz2 (131565)
 Now I can attach server and run needed programs.
 Thank you, Stas!

 One strange thing I noticed:
 login.exe eats CPU power (to 99%) about 20 seconds,
 but works after it as usual.

--
 Grigory Batalov.