This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 173113

Summary: Small patch for runuser: disallow suid operation
Product: [Fedora] Fedora Reporter: Thomas Bleher <bleher>
Component: coreutilsAssignee: Tim Waugh <twaugh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: redhat-bugzilla
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.93-2 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-11-14 05:57:27 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Thomas Bleher 2005-11-14 04:13:35 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.12) Gecko/20051010 Firefox/1.0.7 (Ubuntu package 1.0.7)

Description of problem:
I think the following small patch should be applied to the coreutils
package, on top of the existing patch:

--- runuser.c.orig      2005-10-19 22:01:57.000000000 +0200
+++ runuser.c   2005-10-19 22:00:53.000000000 +0200
@@ -19,6 +19,8 @@
        return PAM_SUCCESS;
 }
 int pam_open_session(pam_handle_t *pamh, int flags){
+       if (getuid() != geteuid()) /* safety net: deny operation if we are suid by accident */
+               error(EXIT_FAIL, 1, "runuser may not be setuid");
        return PAM_SUCCESS;
 }
 int pam_close_session(pam_handle_t *pamh, int flags){

Rationale:
There are still a lot of scripts that assume they can use "su" to switch
uids. In some situations (eg mine :) it is simply too much work to audit
them all and keep up with updates. Instead I intend to "mv su su2; ln
runuser su" and teach the other admins to use su2 instead (users are not
allowed to use su anyway). The only problem currently is that if the
permissions on the new su are accidently set to the usual values (by
admin error or a permission check script) there is a security hole
immediately. This small patch prevents this problem; it should not
interfere with normal operation in any way.

PS: This patch has been in use since a few weeks and has not caused any problems so far. It was posted to the SELinux-ML and acked by Russell Coker, who requested that the patch be bugzilla'd.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
4.

Additional info:
Comment 1 Tim Waugh 2005-11-14 05:57:27 EST
Thanks for the report.  Fixed in 5.93-2 in rawhide.