How to run program as another user - and permanently dropping current user privileges?

Stuart Jansen sjansen at buscaluz.org
Fri Feb 23 20:00:13 MST 2007


On Fri, 2007-02-23 at 19:26 -0700, Kenneth Burgener wrote:
> The closest command I have found would be running something like "su
> <user> -c <command>" which runs the command as the specified user, but
> when the command exits, I am still user root.  I fear that it could be
> hacked and taken advantage of.
> 
> Is this the correct way to do this?

Well, that's think about what's happening.

1) Your first script is running as root, normally in a forked shell
instance just for the script.
2) You script reaches the su statement, fork()s then exec()s su. The su
instance retains root privilege.
3) The su instance fork()s to create a child.
3.a) Because you are careful, you tell su to start a login shell. (su -l
<user> -c <command>)
3.b) Because you are paranoid, you tell su to start a restricted shell.
(su -l <user> -c "bash -r <command>")
3.c) Because you are really paranoid, you run the su command in a
chroot. (chroot /mnt/jail su -l <user> -c "bash -r <command>")
4) The su child drops root privileges and exec()s the command.
5) The child process is going to have to use an exploit to get root
privileges back. (Like any local user.)
6) The child finishes running without ever having root access.
7) The su instance cleans up after its child then stops running. The
only information that came back from the child is a return code, not
easy to exploit.
8) We return to the parent script which you apparently trust.

There isn't much danger of the child script getting root access. The
real danger is information disclosure. Forgetting to scrub environmental
variables, closing file handles, etc. Using raw setuid() doesn't solve
any of that. Re-using tools already widely used means you can piggy back
on someone else that hopefully got it right.

In fewer words, using su should be fine. If you're worried su isn't
secure enough, performing a code audit shouldn't be too hard.

-- 
Stuart Jansen              e-mail/jabber: sjansen at buscaluz.org
                           google talk:   stuart.jansen at gmail.com

"However beautiful the strategy, you should occasionally look at 
the results." -- Winston Churchill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20070223/e3679755/attachment.bin 


More information about the PLUG mailing list