[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Unexpected permission denied

On Wed, Jan 25, 2023 at 03:36:33PM +0100, Yassine Chaouche wrote:
> Le 1/25/23 à 3:22 PM, Nicolas George a écrit :
> > For the current problem:
> > 
> > sudo -u www-data namei /var/www/nextcloud/3rdparty/autoload.php
> > 
> > … will cause the command to be executed in an environment closer to the
> > one that causes the problem, and therefore is more likely to reveal it.
> > Use any command of your choice instead of sudo of course.
> 
> I only have su on my server,
> I have this little bash function in one of my bash rc files.
> 
> root#cloud 15:32:53 ~ # type runas_wwwdata
> runas_wwwdata is a function
> runas_wwwdata ()
> {
>     echo su - www-data -s /bin/bash -c "$*";
>     su - www-data -s /bin/bash -c "$*"
> }

When investigating permissions, there's really no reason to do the
investigation as a non-root user.  It's easier to see the whole picture
if you do it as root.  Other users may have sections blocked off.

That said, you should also have setpriv(1) on your system, which you
could use for running programs as a de-privileged user, should you feel
a need for that.

su(1) is pretty much the WORST possible choice for this, as it forces
you to launch a shell, instead of just executing a command directly.

Your runas_wwwdata function is doing the same thing -- forcing the
command to be smashed into a string, and then re-parsed by a shell.
This is going to cause you enormous grief at some point; I can practically
guarantee it.

It's really easy to come up with an example that breaks this approach:

unicorn:~$ touch /tmp/'file with spaces'
unicorn:~$ sudo -s
[sudo] password for greg: 
unicorn:~# runas() { local who=$1; shift; su - "$who" -s /bin/bash -c "$*"; }
unicorn:~# runas www-data ls -ld /tmp/'file with spaces'
su: warning: cannot change directory to /var/www: No such file or directory
ls: cannot access '/tmp/file': No such file or directory
ls: cannot access 'with': No such file or directory
ls: cannot access 'spaces': No such file or directory

Smashing all of a command's arguments into a string (with no special
handling for whitespace and globbing characters) and then re-parsing it
with a shell is simply a bad idea.  Try to avoid it whenever possible.

Tools that execute a command directly don't suffer from this issue.  sudo
is one such tool.  setpriv is another, and is standard on all Debian
systems.

unicorn:~# setpriv --reuid www-data --regid www-data --clear-groups ls -ld /tmp/'file with spaces'
-rw-r--r-- 1 greg greg 0 Jan 25 09:50 '/tmp/file with spaces'

Not a pretty command, admittedly, but you could easily write a wrapper
for it.
Reply to: