From 7ed3ed034b9cda6c51ee7b506b7f845b6effb861 Mon Sep 17 00:00:00 2001 From: Neil Brown Date: Tue, 20 Mar 2007 10:03:28 +1100 Subject: [PATCH] sm-notify - drop privileges before receiving packets from network. If /var/lib/nfs/sm is owned by non-root, setuid to that uid after opening sockets but before receiving answers. --- utils/statd/sm-notify.8 | 16 ++++++++++++++++ utils/statd/sm-notify.c | 31 +++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) diff --git a/utils/statd/sm-notify.8 b/utils/statd/sm-notify.8 index a1c10c3..dd03b8d 100644 --- a/utils/statd/sm-notify.8 +++ b/utils/statd/sm-notify.8 @@ -50,6 +50,22 @@ in .BR /var/lib/nfs/state , and updated by .BR sm-notify . +.SS Security +.B sm-notify +has little need for root privileges and so drops them as soon as +possible. +It continues to need to make changes to the +.B sm +and +.B sm.bak +directories so to be able to drop privileges, these must be writable +by a non-privileged user. If these directories are owned by a +non-root user, +.B sm-notify +will drop privilege to match that user once it has created sockets for +sending out request (for which it needs privileged) but before it +processes any reply (which is the most likely source of possible +privilege abuse). .SH OPTIONS .TP .BI -m " failtime diff --git a/utils/statd/sm-notify.c b/utils/statd/sm-notify.c index 0090137..c62e7eb 100644 --- a/utils/statd/sm-notify.c +++ b/utils/statd/sm-notify.c @@ -81,6 +81,7 @@ static void addr_set_port(nsm_address *, int); static int host_lookup(int, const char *, nsm_address *); void nsm_log(int fac, const char *fmt, ...); static int record_pid(); +static void drop_privs(void); static struct nsm_host * hosts = NULL; @@ -243,6 +244,8 @@ notify(void) if (opt_max_retry) failtime = time(NULL) + opt_max_retry; + drop_privs(); + while (hosts) { struct pollfd pfd; time_t now = time(NULL); @@ -711,3 +714,31 @@ static int record_pid() close(fd); return 1; } + +/* Drop privileges to match owner of state-directory + * (in case a reply triggers some unknown bug). + */ +static void drop_privs(void) +{ + struct stat st; + + if (stat(_SM_DIR_PATH, &st) == -1 && + stat(_SM_BASE_PATH, &st) == -1) { + st.st_uid = 0; + st.st_gid = 0; + } + + if (st.st_uid == 0) { + nsm_log(LOG_WARNING, + "sm-notify running as root. chown %s to choose different user\n", + _SM_DIR_PATH); + return; + } + + setgroups(0, NULL); + if (setgid(st.st_gid) == -1 + || setuid(st.st_uid) == -1) { + nsm_log(LOG_ERR, "Fail to drop privileges"); + exit(1); + } +} -- 2.39.2