jhanna has asked for the wisdom of the Perl Monks concerning the following question:

I'm working to improve ASSP's support for *nix environments. (ASSP is an anti-spam smtp proxy.) One of the important features is to be able to run as non-root after we start listening on port 25. I know how to switch euid with $>, but I had a couple of questions for those wiser than I.

First is it important to switch $< as well (ie real uid)? It might be nice to preserve $< so I can switch back to root if they kill -HUP and I need to switch ports. But in the event of a perl-based vulnerability and I changed $> but not $< I suppose the clever hacker would switch $> back if possible. So I probably need to do that, right?

Secondly do I need to give the option to switch $) and $( as well (effective and real group id)? I suppose root group might be able to do something a hacker shouldn't, even after they've lost root euid, right? Furthermore $) can return a list -- if I do something like $)=$gid; die "aaack!" if $) ne $gid; would it work?

Finally, this code has to have been written 1000 times, but I couldn't find it anywhere. Can someone point me to an opensource perl server daemon that I can swipe code from? Or perhaps paste in their prized nuget from their own project with permission to recycle?

Thanks tons,
John

Replies are listed 'Best First'.
Re: Changing user and GROUP id for security?
by bronto (Priest) on Jan 26, 2003 at 20:37 UTC

    I am not a security specialist. But being a sysadmin I almost know the basics :-)

    First thing that I had to know about security is that security and comfort don't match. So, if you want maximum security you have to make the road that leads root to another user a no-return way.

    This means, of course, that for minor configuration changes they will be still able to send a HUP and have them immediately applied. But for changes that need root privileges they'll have to restart the program. Not very comfortable, probably, but more secure.

    That shouldn't be a big problem anyway, if you provide a init.d-like shell script along with the perl script. That way an administrator could run a /etc/init.d/assp reload for a minor configuration change, and /etc/init.d/assp restart for major changes.

    I hope my 2 cents will help

    Ciao!
    --bronto

    # Another Perl edition of a song:
# The End, by The Beatles
END {
  $you->take($love) eq $you->make($love) ;
}

[reply]
[d/l]
[select]
Re: Changing user and GROUP id for security?
by jhanna (Scribe) on Jan 24, 2003 at 21:22 UTC
    Here's my concept code -- is this the right way? $switchRealUID will be true by default.

    sub switchUsers { my ($uname,$gname)=@_;
 $>=0;
 if($> != 0) {
  mlog('',"requested to switch to user/group '$uname/$gname' but canno
+t set effective uid to 0 -- quitting; uid is $>");
  die "requested to switch to user/group '$uname/$gname' but cannot se
+t effective uid to 0 -- quitting; uid is $>\n";
 }
 $<=0;
 if($gname) {
  my $gid = getgrnam($gname);
  if(defined $gid) {
   if($switchRealUID) {
    $(=$gid;
    if($(+0==$gid) {
     mlog('',"Switched real gid to $gid ($gname)");
    } else {
     mlog('',"Failed to switch real gid to $gid ($gname) -- real uid=$
+(");
    }
   }
   $)=$gid;
   if($)+0==$gid) {
    mlog('',"Switched effective gid to $gid ($gname)");
   } else {
    mlog('',"Failed to switch effective gid to $gid ($gname) -- effect
+ive gid=$) -- quitting");
    die "Failed to switch effective gid to $gid ($gname) -- effective 
+gid=$) -- quitting";
   }
  } else {
   mlog('',"Could not find gid for group '$gname' -- not switching eff
+ective gid -- quitting");
   die "Could not find gid for group '$gname' -- not switching effecti
+ve gid -- quitting";
  }
 }
 if($uname) {
  my $uid = getpwnam($uname);
  if(defined $uid) {
   if($switchRealUID) {
    $<=$uid;
    if($<==$uid) {
     mlog('',"Switched real uid to $uid ($uname)");
    } else {
     mlog('',"Failed to switch real uid to $uid ($uname) -- real uid=$
+<");
    }
   }
   $>=$uid;
   if($>==$uid) {
    mlog('',"Switched effective uid to $uid ($uname)");
   } else {
    mlog('',"Failed to switch effective uid to $uid ($uname) -- real u
+id=$< -- quitting");
    die "Failed to switch effective uid to $uid ($uname) -- real uid=$
+< -- quitting";
   }
  } else {
   mlog('',"Could not find uid for user '$uname' -- not switching effe
+ctive uid -- quitting");
   die "Could not find uid for user '$uname' -- not switching effectiv
+e uid -- quitting";
  }
 }
}

    [download]
[reply]
[d/l]
      I've removed the $switchRealUID condition -- yes one will always want to switch the RealUID. However I'm still having problems testing this script. Changing real and effective UID is no problem. The problem is that I can CHANGE it BACK. Shouldn't that be against the rules, or am I missing something?

      john

[reply]
      I found the answer here: http://archive.develooper.com/perl5-changes@perl.org/msg06044.html

      Linux and BSD treat this slightly different, and the safe way is like this:

      $< = $id; # real uid
$> = $id; # effective uid
$< = $id; # real uid
$> = $id; # effective uid

      [download]

      If you do it twice, beginning with the real then everybody is happy. So the final answer to my question is here:

      sub switchUsers { my ($uname,$gname)=@_;
 eval('getgrnam(root);getpwnam(root);'); 
 if($@) {
  # windows pukes "unimplemented" for these -- just skip it
  mlog('',"Warning: uname and/or gname are set ($uname,$gname) but get
+grnam / getpwnam give errors");
  return;
 }
 $>=0;
 if($> != 0) {
  mlog('',"requested to switch to user/group '$uname/$gname' but canno
+t set effective uid to 0 -- quitting; uid is $>");
  die "requested to switch to user/group '$uname/$gname' but cannot se
+t effective uid to 0 -- quitting; uid is $>\n";
 }
 $<=0;
 if($gname) {
  my $gid = getgrnam($gname);
  if(defined $gid) {
   $)="$gid $gid";
   if($)+0==$gid) {
    mlog('',"Switched effective gid to $gid ($gname)");
   } else {
    mlog('',"Failed to switch effective gid to $gid ($gname) -- effect
+ive gid=$) -- quitting");
    die "Failed to switch effective gid to $gid ($gname) -- effective 
+gid=$) -- quitting";
   }
   $(="$gid $gid";
   if($(+0==$gid) {
    mlog('',"Switched real gid to $gid ($gname)");
   } else {
    mlog('',"Failed to switch real gid to $gid ($gname) -- real uid=$(
+");
   }
  } else {
   mlog('',"Could not find gid for group '$gname' -- not switching eff
+ective gid -- quitting");
   die "Could not find gid for group '$gname' -- not switching effecti
+ve gid -- quitting";
  }
 }
 if($uname) {
  my $uid = getpwnam($uname);
  if(defined $uid) {
   # do it both ways so linux and bsd are happy
   $<=$uid; $>=$uid; $<=$uid; $>=$uid;
   if($>==$uid) {
    mlog('',"Switched effective uid to $uid ($uname)");
   } else {
    mlog('',"Failed to switch effective uid to $uid ($uname) -- real u
+id=$< -- quitting");
    die "Failed to switch effective uid to $uid ($uname) -- real uid=$
+< -- quitting";
   }
   if($<==$uid) {
    mlog('',"Switched real uid to $uid ($uname)");
   } else {
    mlog('',"Failed to switch real uid to $uid ($uname) -- real uid=$<
+");
   }
  } else {
   mlog('',"Could not find uid for user '$uname' -- not switching effe
+ctive uid -- quitting");
   die "Could not find uid for user '$uname' -- not switching effectiv
+e uid -- quitting";
  }
 }
}

      [download]
[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom