setfsuid on ext2 weirdness (2.4)

setfsuid on ext2 weirdness (2.4)

[Bjorn Wesen]

Ok.. I'm going bananas. It could be a 4am braindeath or a rh7.0 bungholio
but this is annoying:

main(int argc, char **argv)
{
	int fd;
	setfsuid(atoi(argv[1]));
	fd = open("/etc/passwd", O_RDONLY);
	printf("got fd %d\n", fd);
}

[root@wizball /root]# ./setfstest 0 
got fd 3
[root@wizball /root]# ./setfstest 500
got fd 3
[root@wizball /root]# ./setfstest 501
got fd -1

0 is obviously my root user and 500 is my standard user i log-in with. 501
exists (not that that has anything to do with this)

in fact, 0 and 500 are the ONLY ones who let a filesystem op through after
the setfsuid call. all other cause an EACCESS error on the open (or any
other fs op). and yes, the actual filepermissions on /etc and /etc/passwd
are correct.

consequence is that i can't login as any other user (or ftp, or anything
that needs to change the uid's) :(

so... the quick question is... is there anything in EXT2 or VFS that can
cause a quite normal ext2 filesystem on a 2.4.0 kernel to behave remotely
like this ?

strace shows the setfsuid call succeeds and nothing funny happens.

[root@wizball /root]# strace ./setfstest 501
execve("./setfstest", ["./setfstest", "501"], [/* 38 vars */]) = 0
uname({sys="Linux", node="wizball.xxx.yyy.zzz", ...}) = 0
brk(0)                                  = 0x80496c8
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=32172, ...}) = 0
old_mmap(NULL, 32172, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40018000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\301\1"...,
1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=4851725, ...}) = 0
old_mmap(NULL, 1217864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x40020000
mprotect(0x40140000, 38216, PROT_NONE)  = 0
old_mmap(0x40140000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x11f000) = 0x40140000
old_mmap(0x40146000, 13640, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40146000
close(3)                                = 0
munmap(0x40018000, 32172)               = 0
getpid()                                = 1739
setfsuid32(0x1f5)                       = 0
open("/etc/passwd", O_RDONLY)           = -1 EACCES (Permission denied)

.... <cut>....





-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: setfsuid on ext2 weirdness (2.4)

[Alan Cox]

> Ok.. I'm going bananas. It could be a 4am braindeath or a rh7.0 bungholio
> but this is annoying:

There are lots of corner cases in the kernel that are probably a bit off

> main(int argc, char **argv)
> {
> 	int fd;
> 	setfsuid(atoi(argv[1]));
> 	fd = open("/etc/passwd", O_RDONLY);
> 	printf("got fd %d\n", fd);
> }
> 
> [root@wizball /root]# ./setfstest 0 
> got fd 3

(root)

> [root@wizball /root]# ./setfstest 500
> got fd 3

(fsuid==euid)

> [root@wizball /root]# ./setfstest 501
> got fd -1

(other)

perchance. If so does being uid 501 flip the behaviour around ?

> 

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: setfsuid on ext2 weirdness (2.4)

[Linus Torvalds]

In article <Pine.LNX.3.96.1010108025520.14610B-100000@medusa.sparta.lu.se>,
Bjorn Wesen  <bjorn@sparta.lu.se> wrote:
>
>in fact, 0 and 500 are the ONLY ones who let a filesystem op through after
>the setfsuid call. all other cause an EACCESS error on the open (or any
>other fs op). and yes, the actual filepermissions on /etc and /etc/passwd
>are correct.

Please show them, anyway. What does "ls -ld / /etc /etc/passwd" say?

>so... the quick question is... is there anything in EXT2 or VFS that can
>cause a quite normal ext2 filesystem on a 2.4.0 kernel to behave remotely
>like this ?

Most easily if /etc/passwd (or /etc or /) is owned by uid 500 (your
normal uid).  That would do this.  And it's pretty much the _only_ thing
that I can see doing it. 

I seriously doubt it has anything to do with the kernel or with RH 7.
The fact that uid 500 is special, and the fact that uid 500 is your
regular uid makes me suspect _very_ stronly that you've done something
as root to make some path be special to your regular uid.

The only paths that /etc/passwd touches are /, /etc and /etc/passwd. 
99% says that one of the three will be wrong (probably "/", because you
probably checked the others already and overlooked root), and you'll
feel really silly. 

Oh, there is _one_ special case.  Is either / or /etc a mount-point (ie
you may be playing games with over-mounting)? The permissions _under_
the mount-point can actually matter, and they are not visible when doing
an "ls", because the mounted thing will be shown.

And hey, if you think the above is confusing, try making your /dev/null
a regular (writable) file by mistake.  Now THAT will be confusing as
hell: things will actually work surprisingly well, but some thing
_really_ don't work the way they are intended to.  And chasing it down
is an exercise in futility.  Yes, I've done that at least twice as root
by mistake. 

		Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: setfsuid on ext2 weirdness (2.4)

[Kai Henningsen]

torvalds@transmeta.com (Linus Torvalds)  wrote on 08.01.01 in <93d7fr$429$1@penguin.transmeta.com>:

> And hey, if you think the above is confusing, try making your /dev/null
> a regular (writable) file by mistake.  Now THAT will be confusing as
> hell: things will actually work surprisingly well, but some thing
> _really_ don't work the way they are intended to.  And chasing it down
> is an exercise in futility.  Yes, I've done that at least twice as root
> by mistake.

So have I. It's so damned easy. Just remove the original; pretty soon  
*something* will create a plain file there.

Now you have:

* Actual input reading from /dev/null (and it changes!).
* Unusual permissions on /dev/null

Fun fun fun. Many unusual failure modes.

MfG Kai
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: setfsuid on ext2 weirdness (2.4)

[Bjorn Wesen]

On Mon, 8 Jan 2001, Linus Torvalds wrote:
> Please show them, anyway. What does "ls -ld / /etc /etc/passwd" say?

Heh... /etc and /etc/passwd were allright... but / was fscked (or not,
maybe :)

drwx--------- 500 0       both locked from other users and 500 as owner..

> 99% says that one of the three will be wrong (probably "/", because you
> probably checked the others already and overlooked root), and you'll
> feel really silly. 

Dunno how that ever happened (unpacking a bad tar-ball maybe) but it's
fixed now and Linux 2.4.0 is completely without blame! :) I'm stupendously
silly but that's just normal, also, it's another warm unix experience to
cherish..

Thanks for the hint!

> And hey, if you think the above is confusing, try making your /dev/null
> a regular (writable) file by mistake.  Now THAT will be confusing as

Been there got the t-shirt :)

/BW

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/