On Monday 29 October 2018 11:50 AM, Sunil Mohan Adapa wrote: [...] > > I agree that it is better to not expose the environment to runuser. I > will make the change to use 'env' instead.
Attached the patches do this with /usr/bin/env (better to have full path?). I have retested all invocations again. > > A bigger concern should be to scrub all environment from the parent root > user process except for the values that need to be passed down. > Unfortunately, this is an issue equally problematic in the earlier and > proposed code. > > # TESTVAR1='test' su -s /bin/bash -c 'set' |grep TESTVAR > TESTVAR1=test > > # TESTVAR1='test' runuser -u monkeysphere -- bash -c set |grep TESTVAR > TESTVAR1=test > > I will try to scrub the environment using 'env -i' and see if that > introduces any breakages. I tried this and it looks like this requires more changes and time which I currently am short on. So, I am not proposing 'env -i' at this time. [...] > > I belive this is because I have libpam-tmpdir installed on my test VM > (FreedomBox). I will test my next patch without this. I confirm that I no longer see problems with TMPDIR after removing libpam-tmpdir from the system. Thanks, -- Sunil
From 50df0dca1a247be52c17ef5e71e11b73ea03eb0a Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa <[email protected]> Date: Thu, 25 Oct 2018 14:43:57 -0700 Subject: [PATCH] Use runuser instead of su On systems with restricted PAM security, it may not possible to use su. --- src/monkeysphere-authentication | 6 +++--- src/monkeysphere-host | 2 +- src/share/common | 20 +++++++------------- src/share/ma/add_certifier | 2 +- src/share/ma/update_users | 5 +++-- src/share/mh/add_revoker | 10 +++++----- src/share/mh/publish_key | 4 ++-- 7 files changed, 22 insertions(+), 27 deletions(-) diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index b3eb1e6..8d6bee0 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -81,11 +81,11 @@ gpg_sphere() { GNUPGHOME="$GNUPGHOME_SPHERE" export GNUPGHOME - su_monkeysphere_user gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@" + run_as_monkeysphere_user gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@" } check_openpgp2ssh_sanity() { - if [[ `su_monkeysphere_user openpgp2ssh ABC &>/dev/null || echo $?` != "255" ]]; then + if [[ `run_as_monkeysphere_user openpgp2ssh ABC &>/dev/null || echo $?` != "255" ]]; then echo "openpgp2ssh command gives unexpected return code. This can lead to a scenario where no authorized keys are populated, even though they are otherwise valid. Aborting!" exit 1 fi; @@ -137,7 +137,7 @@ GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"} CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"} LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '} -# export variables needed in su invocation +# export variables needed for invoking command under monkeysphere user export DATE export LOG_LEVEL export KEYSERVER diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 75895e9..089c2b6 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -360,7 +360,7 @@ PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '} -# export variables needed in su invocation +# export variables needed for invoking command under monkeysphere user export DATE export LOG_LEVEL export KEYSERVER diff --git a/src/share/common b/src/share/common index 80ae88a..cccdaaa 100644 --- a/src/share/common +++ b/src/share/common @@ -93,20 +93,14 @@ log() { } # run command as monkeysphere user -su_monkeysphere_user() { +run_as_monkeysphere_user() { # our main goal here is to run the given command as the the # monkeysphere user, but without prompting for any sort of # authentication. If this is not possible, we should just fail. - - # FIXME: our current implementation is overly restrictive, because - # there may be some su PAM configurations that would allow su - # "$MONKEYSPHERE_USER" -c "$@" to Just Work without prompting, - # allowing specific users to invoke commands which make use of - # this user. - - # chpst (from runit) would be nice to use, but we don't want to - # introduce an extra dependency just for this. This may be a - # candidate for re-factoring if we switch implementation languages. + # + # A simple command and its arguments are expected. Shell + # expressions are not supported. If they are required, they may + # be executed with 'bash -c "<EXPR>"'. case $(id -un) in # if monkeysphere user, run the command as a subshell @@ -114,10 +108,10 @@ su_monkeysphere_user() { ( "$@" ) ;; - # if root, su command as monkeysphere user + # if root, run command as monkeysphere user 'root') # requote arguments using bash builtin feature (see "help printf"): - su "$MONKEYSPHERE_USER" -s "$(which bash)" -c "$(printf "%q " "$@")" + runuser -u "$MONKEYSPHERE_USER" -- "$@" ;; # otherwise, fail diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 05f4b44..bd9885c 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -100,7 +100,7 @@ if [ -f "$keyID" -o "$keyID" = '-' ] ; then # check the key is ok as monkeysphere user before loading log debug "checking keys in file..." - fingerprint=$(su_monkeysphere_user \ + fingerprint=$(run_as_monkeysphere_user \ bash -c "$(printf ". %q && list_primary_fingerprints" "${SYSSHAREDIR}/common")" < "$keyID") if [ $(printf "%s" "$fingerprint" | egrep -c '^[A-F0-9]{40}$') -ne 1 ] ; then diff --git a/src/share/ma/update_users b/src/share/ma/update_users index a0ec21b..4ce0281 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -78,8 +78,9 @@ for uname in $unames ; do log verbose "processing authorized_user_ids..." # process authorized_user_ids file, as monkeysphere user - su_monkeysphere_user \ - /usr/bin/env "STRICT_MODES=$STRICT_MODES" bash -c "$(printf ". %q && process_authorized_user_ids -" "${SYSSHAREDIR}/common")"\ + run_as_monkeysphere_user \ + /usr/bin/env STRICT_MODES="$STRICT_MODES" \ + bash -c "$(printf ". %q && process_authorized_user_ids -" "${SYSSHAREDIR}/common")"\ < "$authorizedUserIDs" \ > "$tmpAuthorizedKeys" diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker index 7fafabd..34ecdb9 100644 --- a/src/share/mh/add_revoker +++ b/src/share/mh/add_revoker @@ -51,7 +51,7 @@ if [ -f "$revokerKeyID" -o "$revokerKeyID" = '-' ] ; then # check the key is ok as monkeysphere user before loading log debug "checking keys in file..." - fingerprint=$(su_monkeysphere_user \ + fingerprint=$(run_as_monkeysphere_user \ bash -c "$(printf ". %q && list_primary_fingerprints" "${SYSSHAREDIR}/common")" < "$revokerKeyID") if [ $(printf "%s" "$fingerprint" | egrep -c '^[A-F0-9]{40}$') -ne 1 ] ; then @@ -71,12 +71,12 @@ else # download the key from the keyserver as the monkeysphere user log verbose "searching keyserver $KEYSERVER for revoker keyID $revokerKeyID..." - su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --quiet --keyserver "$KEYSERVER" --recv-key "0x${revokerKeyID}!" \ + run_as_monkeysphere_user /usr/bin/env GNUPGHOME="$tmpDir" gpg --quiet --keyserver "$KEYSERVER" --recv-key "0x${revokerKeyID}!" \ || failure "Could not receive a key with this ID from keyserver '$KEYSERVER'." # get the full fingerprint of new revoker key log debug "getting fingerprint of revoker key..." - fingerprint=$(su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --list-key --with-colons --with-fingerprint "${revokerKeyID}" \ + fingerprint=$(run_as_monkeysphere_user /usr/bin/env GNUPGHOME="$tmpDir" gpg --list-key --with-colons --with-fingerprint "${revokerKeyID}" \ | awk -F: '/^fpr:/{ if (ok) { print $10 }; ok=0 } /^pub:/{ ok=1 }') # test that there is only a single fingerprint @@ -90,7 +90,7 @@ EOF fi log info "revoker key found:" - su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --fingerprint "0x${fingerprint}!" + run_as_monkeysphere_user /usr/bin/env GNUPGHOME="$tmpDir" gpg --fingerprint "0x${fingerprint}!" if [ "$PROMPT" = "true" ] ; then printf "Are you sure you want to add the above key as a revoker\nof the key '$keyID'? (Y/n) " >&2 @@ -104,7 +104,7 @@ EOF # export the new key to the host keyring log debug "loading revoker key into host keyring..." - su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --quiet --export "0x${fingerprint}!" \ + run_as_monkeysphere_user /usr/bin/env GNUPGHOME="$tmpDir" gpg --quiet --export "0x${fingerprint}!" \ | gpg_host --import fi diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key index 6987a0a..affb5fb 100644 --- a/src/share/mh/publish_key +++ b/src/share/mh/publish_key @@ -45,7 +45,7 @@ cleanup() { trap cleanup EXIT # import the key into the tmp dir -su_monkeysphere_user \ +run_as_monkeysphere_user \ gpg --quiet --import <"$HOST_KEY_FILE" ANCHORFILE="" @@ -58,7 +58,7 @@ done # publish key log debug "publishing key with the following gpg command line and options:" -su_monkeysphere_user \ +run_as_monkeysphere_user \ gpg --keyserver "$KEYSERVER" ${ANCHORFILE:+--keyserver-options "ca-cert-file=$ANCHORFILE"} --send-keys "0x${keyID}!" # remove the tmp file -- 2.19.1
From 435f978ac7815b10eae87c82aa7198d6833c4857 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa <[email protected]> Date: Sat, 27 Oct 2018 11:00:04 -0700 Subject: [PATCH] debian: Remove shell for monkeysphere user Monkeysphere now uses 'runuser' instead of 'su' to perform operation using the monkeysphere user. 'runuser' works when there is no shell for the user. When freshly installing, create a monkeysphere user without a shell. If the monkeysphere user is already present on the system the shell for that user must be removed. Closes #901489. --- debian/monkeysphere.postinst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/monkeysphere.postinst b/debian/monkeysphere.postinst index 8c6a555..a140ab2 100755 --- a/debian/monkeysphere.postinst +++ b/debian/monkeysphere.postinst @@ -16,9 +16,10 @@ case $1 in echo "adding monkeysphere user..." adduser --quiet --system --no-create-home --group \ --home "$VARLIB" \ - --shell '/bin/bash' \ --gecos 'monkeysphere authentication user,,,' \ monkeysphere + else + usermod --shell /usr/sbin/nologin monkeysphere fi # try all available transitions: @@ -29,7 +30,6 @@ case $1 in exit $RET } done - # setup monkeysphere authentication monkeysphere-authentication setup -- 2.19.1
signature.asc
Description: OpenPGP digital signature

