Re: [ITP] libsuexec 1.0

[Corinna Vinschen <corinna-cygwin at cygwin dot com>]

On Aug 16 10:05, D. Boland wrote:
> Hi group,
> 
> This is not an existing package, but a spin-off project from porting
> Sendmail and Procmail to Cygwin. These programs, as you may or may not
> know, rely heavily on the setuid  mechanism (impersonating as another
> user).  More formally, this is called 'running as an unprivileged
> user' in Linux and 'privilege separation' in OpenBSD. In Cygwin, this
> mechanism is already implemented in the ssh daemon.
> 
> Sendmail takes this idea to the extreme. It starts up as the root user
> and waits for connections. On connection, it starts the 'queue runner'
> program as an unprivileged user called 'smmsp', which handles the
> conversation with the remote e-mail client. 
> 
> If the incoming e-mail has to be delivered locally (stored on disk),
> the queue runner starts the procmail program, which in turn switches
> to the actual user the e-mail is meant for and stores it in the user's
> inbox.
> 
> So, for instance sending an e-mail to myself involves switching
> through three users: root -> smmsp -> daniel
> 
> The problem ----------- Up to WinXP and Win2002, porting source code
> for Cygwin which performed this switching of users, wasn't a big
> problem.
> 
> In Windows, it is the 'SYSTEM' user which starts up most services,
> thus in effect acting as the Unix 'root' user. The difference is that
> SYSTEM has uid '18', while root has uid '0' in Unix.
> 
> So, if porting from Unix to Cygwin one could just look for all
> occurances of uid '0' and replace them with '18'. Actually, this
> technique has been used to create the current Cygwin port of the
> Procmail program.
> 
> As of Win7 and Win2003 this will no longer work. For security reasons,
> the privilege needed to impersonate another user (called
> 'SeCreateTokenPrivilege') has been removed from the SYSTEM user.
> 
> Services (daemons) who need impersonation now have to be started by
> non-SYSTEM users, which have been put in the 'Administrators' group
> and granted the SeCreateTokenPrivilege. This works for most suid
> software, like the Apache webserver, but not for Sendmail and
> Procmail.
> 
> Both programs *enforce* what is called the Capabilities model. This
> means that both programs actually check if they are ran by root and if
> not, refuse to deliver e-mail. So, simply replacing '0' with '18' in
> the source code has no effect.
> 
> The solution ------------ The solution to this problem turns out to be
> very simple and elegant: *tell* Sendmail and Procmail who is the root
> user by overriding functions which involve getting or setting user
> id's. 
> 
> For instance: make the getuid() function return '0' when the actual
> user id is '18' and make the setuid() function change to uid '18' if
> the requested uid is '0'. Take this idea one step further and Sendmail
> and Procmail become 'multi-root aware'.

Now I *finally* understand what you mean with "multi-root".  Duh.

> I created this library to do exacly that. On startup it assumes the
> root user id is '18' (SYSTEM) and the root group id is '544'
> (Administrators). It overrides the original getuid(), getgid(), etc.
> functions to return '0' if the actual uid/gid are '18' or '544'.
> 
> The library makes its program 'multi-root aware' by checking if the
> non-SYSTEM user is a member of the 'Administrators' group and if so,
> simply replacing *its* uid and gid to be '0'. This totally satisfies
> Sendmail and Procmail.
> 
> More importantly: I didn't have to change a single line in their
> source code (which would have been an awful lot), because the library
> is doing the swapping of uids/gids in the background.
> 
> To use this library, put '#include <suexec.h>' and '-lsuexec' at a
> strategic location in your source code and Makefile. To make your
> program 'multi-root' aware and even do suid and/or sugid, place a call
> to 'suexec(argv[0])' in your 'main' function and set the suid and/or
> sgid bits on the resulting binary.
> 
> http://cygwin.boland.nl/x86/release/libsuexec/
> 
> All GTG's are welcome...

This looks neat.  It doesn't cover the acl(2) family of functions,
but these are seldom used anyway.

I have just a few small nits.

- suexec.h neglects to declare most of the su_* functions.  This doesn't
  seem much of a problem at first, but it is when using this from C++,
  or when running a build with -Werror.  May I suggest to declare all
  su_* functions in suexec.h?

- The expression "multi-root" doesn't have a known meaning.  The
  description text in setup.hint doesn't help a lot either.  In a way it
  claims that setuid/setgid isn't available without this package, which
  is wrong, and it uses the expression "multi-root" by way of explaining
  it.  Along these lines...

- ... it would be much more helpful if you could explain what the
  package is doing, basically the full content of this mail of yours I'm
  just replying to, in a README file under /usr/share/doc/suexec/.  Keep
  in mind that the description text in setup.hint is (still) not visible
  from setup-<arch>.exe, thus almost nobody will read it.  Also, to
  understand what you mean by "multi-root", such a longer description in
  a proposed README file is really necessary.

Does that make sense?


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpVU8zYFCo7e.pgp
Description: PGP signature