On Monday 29 October 2018 11:50 AM, Sunil Mohan Adapa wrote:
[...]
> 
> I agree that it is better to not expose the environment to runuser. I
> will make the change to use 'env' instead.

Attached the patches do this with /usr/bin/env (better to have full
path?). I have retested all invocations again.

> 
> A bigger concern should be to scrub all environment from the parent root
> user process except for the values that need to be passed down.
> Unfortunately, this is an issue equally problematic in the earlier and
> proposed code.
> 
> # TESTVAR1='test' su -s /bin/bash -c 'set' |grep TESTVAR
> TESTVAR1=test
> 
> # TESTVAR1='test' runuser -u monkeysphere -- bash -c set |grep TESTVAR
> TESTVAR1=test
> 
> I will try to scrub the environment using 'env -i' and see if that
> introduces any breakages.

I tried this and it looks like this requires more changes and time which
I currently am short on. So, I am not proposing 'env -i' at this time.

[...]
> 
> I belive this is because I have libpam-tmpdir installed on my test VM
> (FreedomBox). I will test my next patch without this.

I confirm that I no longer see problems with TMPDIR after removing
libpam-tmpdir from the system.

Thanks,

-- 
Sunil
From 50df0dca1a247be52c17ef5e71e11b73ea03eb0a Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <[email protected]>
Date: Thu, 25 Oct 2018 14:43:57 -0700
Subject: [PATCH] Use runuser instead of su

On systems with restricted PAM security, it may not possible to use su.
---
 src/monkeysphere-authentication |  6 +++---
 src/monkeysphere-host           |  2 +-
 src/share/common                | 20 +++++++-------------
 src/share/ma/add_certifier      |  2 +-
 src/share/ma/update_users       |  5 +++--
 src/share/mh/add_revoker        | 10 +++++-----
 src/share/mh/publish_key        |  4 ++--
 7 files changed, 22 insertions(+), 27 deletions(-)

diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication
index b3eb1e6..8d6bee0 100755
--- a/src/monkeysphere-authentication
+++ b/src/monkeysphere-authentication
@@ -81,11 +81,11 @@ gpg_sphere() {
     GNUPGHOME="$GNUPGHOME_SPHERE"
     export GNUPGHOME
  
-    su_monkeysphere_user gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@"
+    run_as_monkeysphere_user gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@"
 }
 
 check_openpgp2ssh_sanity() {
-    if [[ `su_monkeysphere_user openpgp2ssh ABC &>/dev/null || echo $?` != "255" ]]; then
+    if [[ `run_as_monkeysphere_user openpgp2ssh ABC &>/dev/null || echo $?` != "255" ]]; then
         echo "openpgp2ssh command gives unexpected return code. This can lead to a scenario where no authorized keys are populated, even though they are otherwise valid. Aborting!" 
         exit 1
     fi; 
@@ -137,7 +137,7 @@ GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"}
 CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"}
 LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '}
 
-# export variables needed in su invocation
+# export variables needed for invoking command under monkeysphere user
 export DATE
 export LOG_LEVEL
 export KEYSERVER
diff --git a/src/monkeysphere-host b/src/monkeysphere-host
index 75895e9..089c2b6 100755
--- a/src/monkeysphere-host
+++ b/src/monkeysphere-host
@@ -360,7 +360,7 @@ PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT}
 GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
 LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '}
 
-# export variables needed in su invocation
+# export variables needed for invoking command under monkeysphere user
 export DATE
 export LOG_LEVEL
 export KEYSERVER
diff --git a/src/share/common b/src/share/common
index 80ae88a..cccdaaa 100644
--- a/src/share/common
+++ b/src/share/common
@@ -93,20 +93,14 @@ log() {
 }
 
 # run command as monkeysphere user
-su_monkeysphere_user() {
+run_as_monkeysphere_user() {
     # our main goal here is to run the given command as the the
     # monkeysphere user, but without prompting for any sort of
     # authentication.  If this is not possible, we should just fail.
-
-    # FIXME: our current implementation is overly restrictive, because
-    # there may be some su PAM configurations that would allow su
-    # "$MONKEYSPHERE_USER" -c "$@" to Just Work without prompting,
-    # allowing specific users to invoke commands which make use of
-    # this user.
-
-    # chpst (from runit) would be nice to use, but we don't want to
-    # introduce an extra dependency just for this.  This may be a
-    # candidate for re-factoring if we switch implementation languages.
+    #
+    # A simple command and its arguments are expected.  Shell
+    # expressions are not supported.  If they are required, they may
+    # be executed with 'bash -c "<EXPR>"'.
 
     case $(id -un) in
 	# if monkeysphere user, run the command as a subshell
@@ -114,10 +108,10 @@ su_monkeysphere_user() {
 	    ( "$@" )
 	    ;;
 
-         # if root, su command as monkeysphere user
+         # if root, run command as monkeysphere user
 	'root')
             # requote arguments using bash builtin feature (see "help printf"):
-	    su "$MONKEYSPHERE_USER" -s "$(which bash)" -c "$(printf "%q " "$@")"
+	    runuser -u "$MONKEYSPHERE_USER" -- "$@"
 	    ;;
 
 	# otherwise, fail
diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier
index 05f4b44..bd9885c 100644
--- a/src/share/ma/add_certifier
+++ b/src/share/ma/add_certifier
@@ -100,7 +100,7 @@ if [ -f "$keyID" -o "$keyID" = '-' ] ; then
 
     # check the key is ok as monkeysphere user before loading
     log debug "checking keys in file..."
-    fingerprint=$(su_monkeysphere_user \
+    fingerprint=$(run_as_monkeysphere_user \
 	bash -c "$(printf ". %q && list_primary_fingerprints" "${SYSSHAREDIR}/common")" < "$keyID")
 
     if [ $(printf "%s" "$fingerprint" | egrep -c '^[A-F0-9]{40}$') -ne 1 ] ; then
diff --git a/src/share/ma/update_users b/src/share/ma/update_users
index a0ec21b..4ce0281 100644
--- a/src/share/ma/update_users
+++ b/src/share/ma/update_users
@@ -78,8 +78,9 @@ for uname in $unames ; do
 	    log verbose "processing authorized_user_ids..."
 
 	    # process authorized_user_ids file, as monkeysphere user
-	    su_monkeysphere_user \
-		/usr/bin/env "STRICT_MODES=$STRICT_MODES" bash -c "$(printf ". %q && process_authorized_user_ids -" "${SYSSHAREDIR}/common")"\
+	    run_as_monkeysphere_user \
+		/usr/bin/env STRICT_MODES="$STRICT_MODES" \
+		bash -c "$(printf ". %q && process_authorized_user_ids -" "${SYSSHAREDIR}/common")"\
 		< "$authorizedUserIDs" \
 		> "$tmpAuthorizedKeys"
 
diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker
index 7fafabd..34ecdb9 100644
--- a/src/share/mh/add_revoker
+++ b/src/share/mh/add_revoker
@@ -51,7 +51,7 @@ if [ -f "$revokerKeyID" -o "$revokerKeyID" = '-' ] ; then
 
     # check the key is ok as monkeysphere user before loading
     log debug "checking keys in file..."
-    fingerprint=$(su_monkeysphere_user \
+    fingerprint=$(run_as_monkeysphere_user \
 	bash -c "$(printf ". %q && list_primary_fingerprints" "${SYSSHAREDIR}/common")" < "$revokerKeyID")
 
     if [ $(printf "%s" "$fingerprint" | egrep -c '^[A-F0-9]{40}$') -ne 1 ] ; then
@@ -71,12 +71,12 @@ else
 
     # download the key from the keyserver as the monkeysphere user
     log verbose "searching keyserver $KEYSERVER for revoker keyID $revokerKeyID..."
-    su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --quiet --keyserver "$KEYSERVER" --recv-key "0x${revokerKeyID}!" \
+    run_as_monkeysphere_user /usr/bin/env GNUPGHOME="$tmpDir" gpg --quiet --keyserver "$KEYSERVER" --recv-key "0x${revokerKeyID}!" \
 	|| failure "Could not receive a key with this ID from keyserver '$KEYSERVER'."
 
     # get the full fingerprint of new revoker key
     log debug "getting fingerprint of revoker key..."
-    fingerprint=$(su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --list-key --with-colons --with-fingerprint "${revokerKeyID}" \
+    fingerprint=$(run_as_monkeysphere_user /usr/bin/env GNUPGHOME="$tmpDir" gpg --list-key --with-colons --with-fingerprint "${revokerKeyID}" \
 	| awk -F: '/^fpr:/{ if (ok) { print $10 }; ok=0 } /^pub:/{ ok=1 }')
 
     # test that there is only a single fingerprint
@@ -90,7 +90,7 @@ EOF
     fi
 
     log info "revoker key found:"
-    su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --fingerprint "0x${fingerprint}!"
+    run_as_monkeysphere_user /usr/bin/env GNUPGHOME="$tmpDir" gpg --fingerprint "0x${fingerprint}!"
 
     if [ "$PROMPT" = "true" ] ; then
 	printf "Are you sure you want to add the above key as a revoker\nof the key '$keyID'? (Y/n) " >&2
@@ -104,7 +104,7 @@ EOF
 
     # export the new key to the host keyring
     log debug "loading revoker key into host keyring..."
-    su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --quiet --export "0x${fingerprint}!" \
+    run_as_monkeysphere_user /usr/bin/env GNUPGHOME="$tmpDir" gpg --quiet --export "0x${fingerprint}!" \
 	| gpg_host --import
 fi
 
diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key
index 6987a0a..affb5fb 100644
--- a/src/share/mh/publish_key
+++ b/src/share/mh/publish_key
@@ -45,7 +45,7 @@ cleanup() {
 trap cleanup EXIT
 
 # import the key into the tmp dir
-su_monkeysphere_user \
+run_as_monkeysphere_user \
     gpg --quiet --import <"$HOST_KEY_FILE"
 
 ANCHORFILE=""
@@ -58,7 +58,7 @@ done
 
 # publish key
 log debug "publishing key with the following gpg command line and options:"
-su_monkeysphere_user \
+run_as_monkeysphere_user \
     gpg --keyserver "$KEYSERVER" ${ANCHORFILE:+--keyserver-options "ca-cert-file=$ANCHORFILE"} --send-keys "0x${keyID}!"
 
 # remove the tmp file
-- 
2.19.1

From 435f978ac7815b10eae87c82aa7198d6833c4857 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <[email protected]>
Date: Sat, 27 Oct 2018 11:00:04 -0700
Subject: [PATCH] debian: Remove shell for monkeysphere user

Monkeysphere now uses 'runuser' instead of 'su' to perform operation using the
monkeysphere user. 'runuser' works when there is no shell for the user.

When freshly installing, create a monkeysphere user without a shell. If the
monkeysphere user is already present on the system the shell for that user must
be removed.

Closes #901489.
---
 debian/monkeysphere.postinst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/monkeysphere.postinst b/debian/monkeysphere.postinst
index 8c6a555..a140ab2 100755
--- a/debian/monkeysphere.postinst
+++ b/debian/monkeysphere.postinst
@@ -16,9 +16,10 @@ case $1 in
 	    echo "adding monkeysphere user..."
 	    adduser --quiet --system --no-create-home --group \
 		--home "$VARLIB" \
-		--shell '/bin/bash' \
 		--gecos 'monkeysphere authentication user,,,' \
 		monkeysphere
+	else
+	    usermod --shell /usr/sbin/nologin monkeysphere
 	fi
 
 	# try all available transitions:
@@ -29,7 +30,6 @@ case $1 in
 		exit $RET
 	    }
 	done
-	    
 
 	# setup monkeysphere authentication
 	monkeysphere-authentication setup
-- 
2.19.1

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to