[linux-lvm] lvcreate from a setuid-root binary

[linux-lvm] lvcreate from a setuid-root binary

[Christoph Pleger]

Hello,

I am calling lvcreate from a setuid-binary, which internally calls 
setreuid(), so that not only effective and saved UIDs, but also the real 
UID is set to 0. From _nonroot_warning() in lvmcmdline.c I see that LVM 
command line tools expect that.

Unfortunately - though these UIDs are all set to 0 - lvcreate still does 
not work for me. That is, it does work when I call my setuid-binary as a 
non-root user from the command line, but it does not work when I call my 
setuid-binary from PAM module pam_exec - and that is what I need my 
program for. I let my program send lvcreate output to a file and that 
file has the following content:

  device-mapper: version ioctl on  failed: Permission denied
   Incompatible libdevmapper 1.02.137 (2016-11-30) and kernel driver 
(unknown version).
   striped: Required device-mapper target(s) not detected in your kernel.
   Run `lvcreate --help' for more information.

What might be the problem here so that lvcreate gives these errors 
though all UIDs are 0?

Regards
   Christoph

Re: [linux-lvm] lvcreate from a setuid-root binary

[Alasdair G Kergon]

On Thu, Nov 15, 2018 at 05:39:56PM +0100, Christoph Pleger wrote:
> I am calling lvcreate from a setuid-binary, which internally calls  

Let's stop there.  The fact you're asking a question about setuid 
suggests you don't understand enough to be able to use it safely.

Seriously, never use setuid for anything until you have a thorough
understanding of its internals (userspace and kernel) and ld-linux,
capabilities, process contexts, acls, selinux etc.  It's just too easy
to make your system insecure because of something you didn't even
realise you had to consider!  (I could tell you some funny stories...)

Go back to the beginning and describe the original problem you are 
trying to solve and the constraints you have and ask for advice about
ways to achieve it.

Alasdair

Re: [linux-lvm] lvcreate from a setuid-root binary

[Christoph Pleger]

Hello,

> Let's stop there.  The fact you're asking a question about setuid
> suggests you don't understand enough to be able to use it safely.

I get security by checking the real user id at the beginning of the 
program and aborting the program if that uid does not belong to the only 
user who is allowed to run the program. That user is me and I guess that 
it is much more insecure to run the whole service that wants to 
authenticate users through PAM as root.

> Go back to the beginning and describe the original problem you are
> trying to solve and the constraints you have and ask for advice about
> ways to achieve it.

The beginning is that I want to create a user-specific logical volume 
when a user logs in to a service that authenticates its users through 
pam and that does not run as root.

Regards
   Christoph

Re: [linux-lvm] lvcreate from a setuid-root binary

[Zdenek Kabelac]

Dne 16. 11. 18 v 14:43 Christoph Pleger napsal(a):
> Hello,
> 
>> Let's stop there.� The fact you're asking a question about setuid
>> suggests you don't understand enough to be able to use it safely.
> 
> I get security by checking the real user id at the beginning of the program 
> and aborting the program if that uid does not belong to the only user who is 
> allowed to run the program. That user is me and I guess that it is much more 
> insecure to run the whole service that wants to authenticate users through PAM 
> as root.

How do you plan to 'authorize' passed command line options ??

lvm2 is designed to be always executed with root privileges - so it's believed 
admin knows how he can destroy his own system.

It is NOT designed/supposed to be used as suid binary - this would give user a 
way to big power to very easily destroy your filesystem and gain root 
privileges (i.e.by overwriting  /etc/passwd file)

So I'd highly recommend to avoid this path - unless you have total control 
over the users.

> 
>> Go back to the beginning and describe the original problem you are
>> trying to solve and the constraints you have and ask for advice about
>> ways to achieve it.
> 
> The beginning is that I want to create a user-specific logical volume when a 
> user logs in to a service that authenticates its users through pam and that 
> does not run as root.


You should probably consider some 'master & client' logic - where master runs 
'allowed' rules translated to lvm2 commands internally on your server  - and 
client just issues  some 'high-level' commands.

Regards

Zdenek

PS: there are some plans to support this over dBus - but no so much active 
dBus development is going on ATM on lvm2 side....

Re: [linux-lvm] lvcreate from a setuid-root binary

[Stuart D. Gathman]

[-- Attachment #1: Type: text/plain, Size: 1149 bytes --]

It's not very elegant, but the quick and dirty solution is to use sudo 
to allow certain users to run specific commands with a real uid of 
root.  You can say exactly what arguments the user has to use - the 
sudoers file is where this is configured.  Or you can make a script - 
which is probably better.  But said script should have no arguments, or 
as few as possible - because any complexity allows that user to attempt 
to exploit it to acheive root.  Such a script could trivially bring a 
specific LV online, writable by a specific user.  More complex 
requirement would be - more complex.

If LVM has more elegant features for this kind of thing, I'm all ears.

On Fri, Nov 16, 2018 at 8:43 AM, Christoph Pleger 
<christoph.pleger@cs.uni-dortmund.de> wrote:
>> Go back to the beginning and describe the original problem you are
>> trying to solve and the constraints you have and ask for advice about
>> ways to achieve it.
> 
> The beginning is that I want to create a user-specific logical volume 
> when a user logs in to a service that authenticates its users through 
> pam and that does not run as root.
> 
> Regards
>   Christoph
> 

[-- Attachment #2: Type: text/html, Size: 1386 bytes --]

Re: [linux-lvm] lvcreate from a setuid-root binary

[Christoph Pleger]

Hello,

> How do you plan to 'authorize' passed command line options ??

My program has no command line options. It just takes PAM_USER from PAM 
environment and creates a logical volume /dev/vg1/$PAM_USER, creates a 
filesystem and changes directory permissions of the top directory of the 
new filesystem.

> lvm2 is designed to be always executed with root privileges - so it's
> believed admin knows how he can destroy his own system.
> 
> It is NOT designed/supposed to be used as suid binary - this would
> give user a way to big power to very easily destroy your filesystem
> and gain root privileges (i.e.by overwriting  /etc/passwd file)

Either you misunderstood what I mean, or I am misunderstanding what you 
mean - I do not set lvcreate suid root, but a program that has only a 
small and well defined set of instructions (described above) and that 
restricts its execution to only one user (by checking the real uid 
before setuid(0)).

Regards
   Christoph

Re: [linux-lvm] lvcreate from a setuid-root binary

[Roger Heflin]

Why aren't you just using sudo for this?
On Fri, Nov 16, 2018 at 11:14 AM Christoph Pleger
<christoph.pleger@cs.uni-dortmund.de> wrote:
>
> Hello,
>
> > How do you plan to 'authorize' passed command line options ??
>
> My program has no command line options. It just takes PAM_USER from PAM
> environment and creates a logical volume /dev/vg1/$PAM_USER, creates a
> filesystem and changes directory permissions of the top directory of the
> new filesystem.
>
> > lvm2 is designed to be always executed with root privileges - so it's
> > believed admin knows how he can destroy his own system.
> >
> > It is NOT designed/supposed to be used as suid binary - this would
> > give user a way to big power to very easily destroy your filesystem
> > and gain root privileges (i.e.by overwriting  /etc/passwd file)
>
> Either you misunderstood what I mean, or I am misunderstanding what you
> mean - I do not set lvcreate suid root, but a program that has only a
> small and well defined set of instructions (described above) and that
> restricts its execution to only one user (by checking the real uid
> before setuid(0)).
>
> Regards
>    Christoph
>
> _______________________________________________
> linux-lvm mailing list
> linux-lvm@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-lvm
> read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/

Re: [linux-lvm] lvcreate from a setuid-root binary

[Alasdair G Kergon]

On Fri, Nov 16, 2018 at 02:43:10PM +0100, Christoph Pleger wrote:
> I get security by checking the real user id at the beginning of the  
> program and aborting the program if that uid does not belong to the only  
> user who is allowed to run the program. 

Sounds familiar.  Shall I tell you one of those stories?

I used a system where the sysadmin was worried that letting people run
the setuid 'su' binary was too dangerous, so he wrote a wrapper around
it to "improve" security.  The wrapper checked you were in the admin
group before letting you run the real 'su'.  Of course anyone who
understood how setuid works better than he did could now use the
wrapper in numerous different ways to become root directly without a
password.  

If you care about security find another solution that doesn't involve
writing your own privileged code to be run under the control of an
unprivileged user.

Alasdair

Re: [linux-lvm] lvcreate from a setuid-root binary

[Christoph Pleger]

Hello,

On 2018-11-17 01:24, Alasdair G Kergon wrote:
> On Fri, Nov 16, 2018 at 02:43:10PM +0100, Christoph Pleger wrote:
>> I get security by checking the real user id at the beginning of the
>> program and aborting the program if that uid does not belong to the 
>> only
>> user who is allowed to run the program.
> 
> Sounds familiar.  Shall I tell you one of those stories?
> ...
> ...
> ...

My program calls getpwuid() with the real user id of the calling user 
and then compares this user's name with the name of the one and only 
user who is allowed to continue program execution. Do you think that 
this can be circumvented?

Regards
   Christoph

Re: [linux-lvm] lvcreate from a setuid-root binary

[Alasdair G Kergon]

On Mon, Nov 19, 2018 at 09:55:07AM +0100, Christoph Pleger wrote:
> My program calls getpwuid() with the real user id of the calling user  
> and then compares this user's name with the name of the one and only  
> user who is allowed to continue program execution. Do you think that  
> this can be circumvented?

I'll just repeat - don't write your own setuid programs if you care
about security.  Here's an old paper that lists some (and certainly not
all!) of the things people who do write them have to understand:

  http://man7.org/conf/lca2010/writing_secure_privileged_programs.pdf

It only takes one mistake or one thing you didn't know about or
understand properly to make your system insecure.

Alasdair

Re: [linux-lvm] lvcreate from a setuid-root binary

[Bryn M. Reeves]

On Fri, Nov 16, 2018 at 02:43:10PM +0100, Christoph Pleger wrote:
> The beginning is that I want to create a user-specific logical volume when a
> user logs in to a service that authenticates its users through pam and that
> does not run as root.

Couldn't you use a pam_scripts ses_open/ses_close hook to do this?

That way you can get rid of any suid binary and rely on the well
tested PAM stack to carry out the set up (and optionally clean up)
for the users at login/out time.

Regards,
Bryn.

Re: [linux-lvm] lvcreate from a setuid-root binary

[Christoph Pleger]

Hello,

On 2018-11-19 14:19, Bryn M. Reeves wrote:
> On Fri, Nov 16, 2018 at 02:43:10PM +0100, Christoph Pleger wrote:
>> The beginning is that I want to create a user-specific logical volume 
>> when a
>> user logs in to a service that authenticates its users through pam and 
>> that
>> does not run as root.
> 
> Couldn't you use a pam_scripts ses_open/ses_close hook to do this?
> 
> That way you can get rid of any suid binary and rely on the well
> tested PAM stack to carry out the set up (and optionally clean up)
> for the users at login/out time.

Hm, I do not see how the scripts called by pam_scripts can be executed 
with another user id than the process that called pam_authenticate()?

Regards
   Christoph

Re: [linux-lvm] lvcreate from a setuid-root binary

[Christoph Pleger]

Hello,

On 2018-11-15 17:39, Christoph Pleger wrote:

> Unfortunately - though these UIDs are all set to 0 - lvcreate still
> does not work for me. That is, it does work when I call my
> setuid-binary as a non-root user from the command line, but it does
> not work when I call my setuid-binary from PAM module pam_exec - and
> that is what I need my program for. I let my program send lvcreate
> output to a file and that file has the following content:
> 
>  device-mapper: version ioctl on  failed: Permission denied
>   Incompatible libdevmapper 1.02.137 (2016-11-30) and kernel driver
> (unknown version).
>   striped: Required device-mapper target(s) not detected in your 
> kernel.
>   Run `lvcreate --help' for more information.
> 
> What might be the problem here so that lvcreate gives these errors
> though all UIDs are 0?

No matter if I use that setuid-mechanism in the end or not, I would 
still like to know why it does not work as-is with lvcreate. :-)

I guess that the error message "device-mapper: version ioctl on  failed: 
Permission denied" comes from the following lines in LVM's 
libdm/ioctl/libdm-iface.c:


if (_log_suppress || dmt->ioctl_errno == EINTR)
         log_verbose("device-mapper: %s ioctl on %s%s%s%.0d%s%.0d%s%s "
                     "failed: %s",
                     _cmd_data_v4[dmt->type].name,
                     dmi->name, dmi->uuid,
                     dmt->major > 0 ? "(" : "",
                     dmt->major > 0 ? dmt->major : 0,
                     dmt->major > 0 ? ":" : "",
                     dmt->minor > 0 ? dmt->minor : 0,
                     dmt->major > 0 && dmt->minor == 0 ? "0" : "",
                     dmt->major > 0 ? ")" : "",
                     strerror(dmt->ioctl_errno));
else
         log_error("device-mapper: %s ioctl on %s%s%s%.0d%s%.0d%s%s "
                   "failed: %s",
                   _cmd_data_v4[dmt->type].name,
                   dmi->name, dmi->uuid,
                   dmt->major > 0 ? "(" : "",
                   dmt->major > 0 ? dmt->major : 0,
                   dmt->major > 0 ? ":" : "",
                   dmt->minor > 0 ? dmt->minor : 0,
                   dmt->major > 0 && dmt->minor == 0 ? "0" : "",
                   dmt->major > 0 ? ")" : "",
                   strerror(dmt->ioctl_errno));

But somehow, the values are empty ...

Regards
   Christoph

Re: [linux-lvm] lvcreate from a setuid-root binary

[Christoph Pleger]

Hello,

On 2018-11-16 16:41, Stuart D. Gathman wrote:
> It's not very elegant, but the quick and dirty solution is to use sudo

probably you had not yet read that far in this thread, but I already 
wrote that sudo does not work when called from pam_exec.

To get the stderr and stdout results of sudo, I wrote a shell script 
wrapper around it, and the results are (maybe because sudo itself uses 
PAM?):

sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin

Someone wrote that he assumes that pam_exec ignores the setuid-bit in 
the file permissions, but that is obviously wrong, as this whole thread 
is about why lvcreate, when being called from my setuid-root-binary, has 
permission problems though all three (real, effective and saved) UIDs 
are 0 (and of course I checked that they really are 0).

Regards
   Christoph

Re: [linux-lvm] lvcreate from a setuid-root binary

[Vladislav Bogdanov]

On 21.11.2018 12:56, Christoph Pleger wrote:
> Hello,
> 
> On 2018-11-16 16:41, Stuart D. Gathman wrote:
>> It's not very elegant, but the quick and dirty solution is to use sudo
> 
> probably you had not yet read that far in this thread, but I already 
> wrote that sudo does not work when called from pam_exec.
> 
> To get the stderr and stdout results of sudo, I wrote a shell script 
> wrapper around it, and the results are (maybe because sudo itself uses 
> PAM?):
> 
> sudo: unable to change to root gid: Operation not permitted
> sudo: unable to initialize policy plugin

May be silly question: Do you have selinux or equivalent enabled?

> 
> Someone wrote that he assumes that pam_exec ignores the setuid-bit in 
> the file permissions, but that is obviously wrong, as this whole thread 
> is about why lvcreate, when being called from my setuid-root-binary, has 
> permission problems though all three (real, effective and saved) UIDs 
> are 0 (and of course I checked that they really are 0).
> 
> Regards
>    Christoph
> 
> _______________________________________________
> linux-lvm mailing list
> linux-lvm@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-lvm
> read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/

Re: [linux-lvm] lvcreate from a setuid-root binary

[Christoph Pleger]

Hello,

> May be silly question: Do you have selinux or equivalent enabled?

I HAD apparmor enabled, but after the first failures (like described 
here) had occurred, I also suspected apparmor as a possible reason and 
disabled it. Unfortunately, that did not help.

Regards
   Christoph

Re: [linux-lvm] lvcreate from a setuid-root binary

[matthew patton]

assuming you haven't seen this.
https://stackoverflow.com/questions/14655929/pam-exec-and-security

Re: [linux-lvm] lvcreate from a setuid-root binary

[matthew patton]

http://linux-pam.org/Linux-PAM-html/sag-pam_exec.html

I would further assume pam_exec ignores SUID bit on binaries either because of a bug or deliberately because there is no good reason to ever do that.

Re: [linux-lvm] lvcreate from a setuid-root binary

[Christoph Pleger]

Hello,

On 2018-11-19 15:04, matthew patton wrote:
>> program calls getpwuid() with the real user id of the calling user
> 
> maybe I missed a critical post explaining why it has to be, but that's
> a job for a trivial sudo specification line.
> 
> I can't think of any reason why sudo is not the answer to your
> problem, or frankly isn't always the answer.

I have already tried sudo before writing my own setuid-root-program, by 
calling it directly from pam_exec and by letting pam_exec call another 
program first that calls sudo. Either case failed, even with simple 
tests like letting sudo run /bin/ls (and of course I checked before that 
the same user could use sudo from the command line).

Regards
   Christoph

Re: [linux-lvm] lvcreate from a setuid-root binary

[matthew patton]

> program calls getpwuid() with the real user id of the calling user 

maybe I missed a critical post explaining why it has to be, but that's a job for a trivial sudo specification line.

I can't think of any reason why sudo is not the answer to your problem, or frankly isn't always the answer.