From: Neil Brown Date: Mon, 19 Mar 2007 23:03:28 +0000 (+1100) Subject: sm-notify - drop privileges before receiving packets from network. X-Git-Tag: nfs-utils-1-1-0-rc1~37 X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=commitdiff_plain;h=7ed3ed034b9cda6c51ee7b506b7f845b6effb861;hp=08ed16cab8a460ea56df19b7e27fd663cc96316d sm-notify - drop privileges before receiving packets from network. If /var/lib/nfs/sm is owned by non-root, setuid to that uid after opening sockets but before receiving answers. --- diff --git a/utils/statd/sm-notify.8 b/utils/statd/sm-notify.8 index a1c10c3..dd03b8d 100644 --- a/utils/statd/sm-notify.8 +++ b/utils/statd/sm-notify.8 @@ -50,6 +50,22 @@ in .BR /var/lib/nfs/state , and updated by .BR sm-notify . +.SS Security +.B sm-notify +has little need for root privileges and so drops them as soon as +possible. +It continues to need to make changes to the +.B sm +and +.B sm.bak +directories so to be able to drop privileges, these must be writable +by a non-privileged user. If these directories are owned by a +non-root user, +.B sm-notify +will drop privilege to match that user once it has created sockets for +sending out request (for which it needs privileged) but before it +processes any reply (which is the most likely source of possible +privilege abuse). .SH OPTIONS .TP .BI -m " failtime diff --git a/utils/statd/sm-notify.c b/utils/statd/sm-notify.c index 0090137..c62e7eb 100644 --- a/utils/statd/sm-notify.c +++ b/utils/statd/sm-notify.c @@ -81,6 +81,7 @@ static void addr_set_port(nsm_address *, int); static int host_lookup(int, const char *, nsm_address *); void nsm_log(int fac, const char *fmt, ...); static int record_pid(); +static void drop_privs(void); static struct nsm_host * hosts = NULL; @@ -243,6 +244,8 @@ notify(void) if (opt_max_retry) failtime = time(NULL) + opt_max_retry; + drop_privs(); + while (hosts) { struct pollfd pfd; time_t now = time(NULL); @@ -711,3 +714,31 @@ static int record_pid() close(fd); return 1; } + +/* Drop privileges to match owner of state-directory + * (in case a reply triggers some unknown bug). + */ +static void drop_privs(void) +{ + struct stat st; + + if (stat(_SM_DIR_PATH, &st) == -1 && + stat(_SM_BASE_PATH, &st) == -1) { + st.st_uid = 0; + st.st_gid = 0; + } + + if (st.st_uid == 0) { + nsm_log(LOG_WARNING, + "sm-notify running as root. chown %s to choose different user\n", + _SM_DIR_PATH); + return; + } + + setgroups(0, NULL); + if (setgid(st.st_gid) == -1 + || setuid(st.st_uid) == -1) { + nsm_log(LOG_ERR, "Fail to drop privileges"); + exit(1); + } +}