Re: setuid/setgid binaries contained in the Debian repository.

To: debian-devel@lists.debian.org
Subject: Re: setuid/setgid binaries contained in the Debian repository.
From: Matt Zimmerman <mdz@debian.org>
Date: Mon, 11 Aug 2003 10:33:47 -0400
Message-id: <[🔎] 20030811143347.GA15143@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20030811140040.GA7413@evbergen.xs4all.nl>
References: <fkJl.2C7.7@gated-at.bofh.it> <[🔎] 2003-08-10_22.25.59@alfie.ist.org> <[🔎] 20030810232349.GH23819@alcor.net> <[🔎] 200308110945.50230.josef@ggzgamingzone.org> <[🔎] 20030811085650.GA17898@evbergen.xs4all.nl> <[🔎] 20030811132842.GQ23819@alcor.net> <[🔎] 20030811140040.GA7413@evbergen.xs4all.nl>

On Mon, Aug 11, 2003 at 04:00:40PM +0200, Emile van Bergen wrote:

> On Mon, Aug 11, 2003 at 09:28:42AM -0400, Matt Zimmerman wrote:
> > setuid results in even more problems than setgid.  Given access to the
> > game uid, the user can modify the wrapper program (because they own it)
> > and from that point forward, any user who runs the game is compromised.
> 
> The point is that the user doesn't get control over the game uid, because
> the setuid + wrapper that sets the real uid, etc. provides a barrier to
> the invoking user. We have to trust such barriers; they are required in
> the unix design.
> 
> If a user could make any setuid binary do arbitrary things, no matter
> whether it's correctly written, then it's a kernel bug and we are in much,
> much bigger trouble.

I don't follow.  The wrapper is running with uid games, and it exec()s the
actual game.  So the game is running with uid games, exactly as if the game
itself were setuid, and if the game is exploited, uid games is compromised
(and so is the wrapper).

The only barrier I see is that it would clean the environment variables.
Yes, this is a popular attack vector, but it is by no means the only one.

> The idea is that the wrapper must be trusted to be able to guarantee
> dropping all permissions inherited from the invoking user and setting all
> uids (saved, effective, real) to the per-game uid. After this, the game
> cannot do anything as the invoking user or to his files. That's the whole
> point.
>
> Setgid is a bigger problem because the process retains the permissions
> over the invoking users files and gains additional permissions. Not so
> with this scenario.
> 
> After completely switching to the game uid, if mere user input is enough
> to have the game run arbitrary code under its per-game uid and do the same
> when the next user runs it, it won't be able to harm that user in any way,
> simply because that game uid can't do anything to any user at all.

As I said, the per-game uid would own the wrapper script, and it is far
easier to replace that with a trojan than to try to exploit the game from
within.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Emile van Bergen <emile-deb@evbergen.xs4all.nl>

References:
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Gerfried Fuchs <nutznetz@alfie.ist.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Josef Spillner <josef@ggzgamingzone.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Emile van Bergen <emile-deb@evbergen.xs4all.nl>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Emile van Bergen <emile-deb@evbergen.xs4all.nl>

Prev by Date: Re: setuid/setgid binaries contained in the Debian repository.
Next by Date: Re: setuid/setgid binaries contained in the Debian repository.
Previous by thread: Re: setuid/setgid binaries contained in the Debian repository.
Next by thread: Re: setuid/setgid binaries contained in the Debian repository.
Index(es):
- Date
- Thread