This is the mail archive of the cygwin-apps mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On Aug 16 10:05, D. Boland wrote: > Hi group, > > This is not an existing package, but a spin-off project from porting > Sendmail and Procmail to Cygwin. These programs, as you may or may not > know, rely heavily on the setuid mechanism (impersonating as another > user). More formally, this is called 'running as an unprivileged > user' in Linux and 'privilege separation' in OpenBSD. In Cygwin, this > mechanism is already implemented in the ssh daemon. > > Sendmail takes this idea to the extreme. It starts up as the root user > and waits for connections. On connection, it starts the 'queue runner' > program as an unprivileged user called 'smmsp', which handles the > conversation with the remote e-mail client. > > If the incoming e-mail has to be delivered locally (stored on disk), > the queue runner starts the procmail program, which in turn switches > to the actual user the e-mail is meant for and stores it in the user's > inbox. > > So, for instance sending an e-mail to myself involves switching > through three users: root -> smmsp -> daniel > > The problem ----------- Up to WinXP and Win2002, porting source code > for Cygwin which performed this switching of users, wasn't a big > problem. > > In Windows, it is the 'SYSTEM' user which starts up most services, > thus in effect acting as the Unix 'root' user. The difference is that > SYSTEM has uid '18', while root has uid '0' in Unix. > > So, if porting from Unix to Cygwin one could just look for all > occurances of uid '0' and replace them with '18'. Actually, this > technique has been used to create the current Cygwin port of the > Procmail program. > > As of Win7 and Win2003 this will no longer work. For security reasons, > the privilege needed to impersonate another user (called > 'SeCreateTokenPrivilege') has been removed from the SYSTEM user. > > Services (daemons) who need impersonation now have to be started by > non-SYSTEM users, which have been put in the 'Administrators' group > and granted the SeCreateTokenPrivilege. This works for most suid > software, like the Apache webserver, but not for Sendmail and > Procmail. > > Both programs *enforce* what is called the Capabilities model. This > means that both programs actually check if they are ran by root and if > not, refuse to deliver e-mail. So, simply replacing '0' with '18' in > the source code has no effect. > > The solution ------------ The solution to this problem turns out to be > very simple and elegant: *tell* Sendmail and Procmail who is the root > user by overriding functions which involve getting or setting user > id's. > > For instance: make the getuid() function return '0' when the actual > user id is '18' and make the setuid() function change to uid '18' if > the requested uid is '0'. Take this idea one step further and Sendmail > and Procmail become 'multi-root aware'. Now I *finally* understand what you mean with "multi-root". Duh. > I created this library to do exacly that. On startup it assumes the > root user id is '18' (SYSTEM) and the root group id is '544' > (Administrators). It overrides the original getuid(), getgid(), etc. > functions to return '0' if the actual uid/gid are '18' or '544'. > > The library makes its program 'multi-root aware' by checking if the > non-SYSTEM user is a member of the 'Administrators' group and if so, > simply replacing *its* uid and gid to be '0'. This totally satisfies > Sendmail and Procmail. > > More importantly: I didn't have to change a single line in their > source code (which would have been an awful lot), because the library > is doing the swapping of uids/gids in the background. > > To use this library, put '#include <suexec.h>' and '-lsuexec' at a > strategic location in your source code and Makefile. To make your > program 'multi-root' aware and even do suid and/or sugid, place a call > to 'suexec(argv[0])' in your 'main' function and set the suid and/or > sgid bits on the resulting binary. > > http://cygwin.boland.nl/x86/release/libsuexec/ > > All GTG's are welcome... This looks neat. It doesn't cover the acl(2) family of functions, but these are seldom used anyway. I have just a few small nits. - suexec.h neglects to declare most of the su_* functions. This doesn't seem much of a problem at first, but it is when using this from C++, or when running a build with -Werror. May I suggest to declare all su_* functions in suexec.h? - The expression "multi-root" doesn't have a known meaning. The description text in setup.hint doesn't help a lot either. In a way it claims that setuid/setgid isn't available without this package, which is wrong, and it uses the expression "multi-root" by way of explaining it. Along these lines... - ... it would be much more helpful if you could explain what the package is doing, basically the full content of this mail of yours I'm just replying to, in a README file under /usr/share/doc/suexec/. Keep in mind that the description text in setup.hint is (still) not visible from setup-<arch>.exe, thus almost nobody will read it. Also, to understand what you mean by "multi-root", such a longer description in a proposed README file is really necessary. Does that make sense? Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
Attachment:
pgpVU8zYFCo7e.pgp
Description: PGP signature
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |