netbsd-help: Re: perms of /sbin/dump

Subject: Re: perms of /sbin/dump
To: None <netbsd-help@netbsd.org>
From: Wenchi Liao <wliao@midway.uchicago.edu>
List: netbsd-help
Date: 06/28/1999 13:54:30
Manuel Bouyer wrote:
>On Mon, Jun 28, 1999 at 11:04:04AM -0500, Wenchi Liao wrote:
>> The disk devices are owner and group readable
>> 
>>     # ls -l /dev/rwd0a 
>>     crw-r-----  1 root  operator  3, 0 Jun  8 04:31 /dev/rwd0a
>> 
>> while /sbin/dump is
>> 
>>     -r-xr-sr-x  2 root  tty  241664 May  7 13:08 /sbin/dump
>> 
>> So: unless the dumper is root, doesn't the g+s keep a
>> legitimate user (belonging to operator group) from making
>> dumps?
>
>No, the process started still belongs to group operator, so it should works.
>At last it does in 1.3.3.

Hm. So here's a little experiment I ran. Basically, I'm
trying to see if I can read/write to /etc/dumpdates.
/etc/dumpdates is og+rw, and I make the executable g+s or
u+s.

My goal is for a slightly privileged user to be able to read/write
to /etc/dumpdates, and able to read from raw disk devices by changing
the permissions as little as possible.

$ cat test.c
#include <stdio.h>
#include <stdlib.h>

#include <sys/types.h>
#include <errno.h>
#include <unistd.h>

int main()
{
  if( access( "/etc/dumpdates", R_OK|W_OK ) == -1  ) {
   printf( "Can not read/write: %s\n", strerror( errno ));
  } else {
    printf( "Can read/write\n" );
  }

  if( access( "/etc/dumpdates", R_OK ) == -1 ) {
    printf( "Cannot read: %s\n", strerror( errno ));
  } else {
    printf( "Can read\n" );
  }

  printf( "gid is %d\n", getgid());
  printf( "egid is %d\n", getegid());
  printf( "uid is %d\n", getuid());
  printf( "euid is %d\n", geteuid());
}
$ gcc -g test.c
$ ls -l /etc/dumpdates 
-rw-rw----  1 root  operator  2 Jun 25 11:22 /etc/dumpdates
$ ls -l a.out 
-rwxr-xr-x  1 wliao  wheel  12564 Jun 28 12:50 a.out*
$ ./a.out 
Can not read/write: Permission denied
Cannot read: Permission denied
gid is 3418
egid is 3418
uid is 3418
euid is 3418
$ id
uid=3418(wliao) gid=3418 groups=3418, 0(wheel)

[ root stuff]

$ ls -l a.out 
-rwxr-sr-x  1 wliao  operator  12564 Jun 28 12:50 a.out*
$ ./a.out 
Can not read/write: Permission denied
Cannot read: Permission denied
gid is 3418
egid is 5
uid is 3418
euid is 3418

[root stuff]

$ ls -l a.out 
-rwsr-xr-x  1 root  3418  12564 Jun 28 12:50 a.out*
$ ./a.out 
Can not read/write: Permission denied
Cannot read: Permission denied
gid is 3418
egid is 3418
uid is 3418
euid is 0