[scponly] scponlyc - why not give up root priveleges completly?

David Ramsden david at hexstream.eu.org
Thu Jul 1 19:47:39 EDT 2004


On Thu, Jul 01, 2004 at 07:23:18PM +0200, Dominik Schwald wrote:
> Hi,
> 

Hello Dominik,

> 
> Am i right that the _only_ reason for beeing setuid is the chroot() 
> command. I read the following in the file INSTALL:
> "... There is a seteuid that ensures that the execution of any commands 
> is never done with an effective uid of 0..."
> 

Yes, you are correct - because as we can see from chroot(2):
"Only the super-user may change the root directory."

> So here is my question: Why does scponlyc not drop all root rights 
> immediately after invoking the chroot-jail, instead of only ensuring 
> that after the invokation of the chroot-jail the root privileges aren't 
> used any more.
> 
[snip]

Ah, but it does:
$ grep -i 'set\([a-z]\)uid' *.c
scponly.c:      if (-1==(seteuid(getuid())))
scponly.c:              syslog (LOG_ERR, "couldn't revert to my real 
uid. seteuid: %m");

(This is done right after the chroot() block of code and is even run if
you're not using scponlyc)

It uses seteuid. setuid does not set the "effective user ID" which
means: root -> non-root -> root (in theory).
With seteuid (as scponly currently uses), it does not allow the last
part where the program can re-engage the original effective user ID
(i.e. root).

But, does it need to call setegid(2) as well?

I hope this has cleared this up.
Regards,
David.
-- 
 .''`.     David Ramsden <david at hexstream.eu.org>
: :'  :    http://david.hexstream.eu.org/
`. `'`     PGP key ID: 507B379B on wwwkeys.pgp.net
  `-  Debian - when you have better things to do than to fix a system.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20040702/4b0dbebb/attachment.bin


More information about the scponly mailing list