1,155
Hey,
Let me share this tip:
Imagine that you must to run an executable with setuid permission inside a vob, how do you do that?
To be able to do that, basically you will need, as root, to run "change_suid_mounts -enable" then restart CC, since by default Vobs and Views using "nosuid".
NOTE: Be caution to enable that since setuid permission over a NO safety code could compromise your system.
See the example below:
1) The code hello.c will print who is the effective user running the command (provided by setuid).
cat hello.c
#include <stdio.h>
main ()
{
printf (" Details related this process \n" );
system ( " ps -fe |grep hello |grep -v grep " );
printf ("\n Type \"x\" and press \"Enter\" to exit \n");
scanf ( "%d, &a" );
}
2) I have that file now compiled and belonging to root
The binary
stat /home/John/hello
File: `/home/John/hello'
Size: 13056 Blocks: 32 IO Block: 4096 arquivo comum
Device: 802h/2050d Inode: 2392121 Links: 1
Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
3) Running the code outside ClearCase
John@SUSE1164B:~> whoami
John
John@SUSE1164B:~> ./hello
Details related this process
root 20982 12727 0 10:31 pts/2 00:00:00 ./hello
Type "x" and press "Enter" to exit
x
John@SUSE1164B:~>
So, the code is running as expected and due to setuid it is running as root, even a regular user fire the
binary.
4) Verifying how vob and viewroot ar mounted
mount |egrep "John-vob1|viewroot"
SUSE1164B:/dev/mvfs on /view type mvfs (rw,viewroot,nosuid)
xyz-machine:/vol/John/vobs/John-vob1.vbs on /tags/John-vob1 type mvfs (uuid=2d5df461.16d511e1.8eda.00:50:56:98:21:c3,nosuid)
As default both are mounted as "nosuid".
5) If I have the file inside a Vob (and having root as owner) what if the results by running it?
Attempt to run the binary using John (with default options regarding mount)
John@SUSE1164B:~> whoami
John
John@SUSE1164B:~> cleartool setview view1-John-nas
John@SUSE1164B:~> cd /tags/John-vob1/ #Since the vob is already mounted:
John@SUSE1164B:/tags/John-vob1>
> ls -l hello
-r-sr-xr-x 1 root John 13056 Jan 11 09:10 hello
John@SUSE1164B:/tags/John-vob1> ./hello
Details related this process
John 23772 23717 0 10:56 pts/2 00:00:00 ./hello
Type "x" and press "Enter" to exit
Conclusion: Even tough setuid is set for on "hello" the binary ran as the user that fired the file,
this is expected since vob and /view are mounted with nosuid
6) Enabling setuid on view and mount
Stop the view and then run as root:
change_suid_mounts -enable
Setuid-honoring MVFS mounts are now enabled. You must stop and
restart ClearCase for this change to take effect.
Then restart clearcase and verify that no is have no more "nosuid" as option:
/etc/init.d/clearcase restart
mount |egrep "view|John-vob1"
SUSE1164B:/dev/mvfs on /view type mvfs (rw,viewroot)
xyz-machine:/vol/John/vobs/John-vob1.vbs on /tags/John-vob1 type mvfs (uuid=2d5df461.16d511e1.8eda.00:50:56:98:21:c3)
Reference: https://www-304.ibm.com/support/docview.wss?uid=swg21260652
7) Attempt to run the binary using John (with setuid enabled to mount):
John@SUSE1164B:~> cleartool setview view1-John-nas
John@SUSE1164B:~> cd /tags/John-vob1/
John@SUSE1164B:/tags/John-vob1> ./hello
Details related this process
root 24927 24914 0 11:05 pts/2 00:00:00 ./hello
Type "x" and press "Enter" to exit
x
Conclusion: Having setuid mount enable this setuid work properly.
Regards,
Pedro Moura
##########################################Disclaimer ##############################################
"The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions." #
#################################################################################################
