You are not logged in.

#1 2009-01-28 12:39:05

naguz
Member
Registered: 2008-11-05
Posts: 95

Shaman doesn't ask for root password. But gets root privileges!!

As the title says:
Shaman is launched as a reguler user, never asks for root password, but still i able to install and uninstall packages.
Either something in my system is seriously fucked, or there is a major securiy problem with shaman.

Running openbox, installed shaman while running gnome, if that has anythiung to say. Sudo is not installed.

Output from running shaman in terminal:

[gert@flyktig ~]$ shaman

This process is currently running setuid or setgid.
GTK+ does not allow this therefore Qt cannot use the GTK+ integration.
Try launching your app using 'gksudo', 'kdesudo' or a similar tool.

See http://www.gtk.org/setuid.html for more information.

Translations are enabled. 
Loading translations from "/usr/share/shaman/translations/" 
Parsing  "core" 
Parser exited 
Parsing  "extra" 
Parser exited 
Parsing  "community" 
Parser exited 
Parser exited 
Log File should be: "" 
"core" ---> "http://mirror.archlinux.no/core/os/i686" 
"extra" ---> "http://mirror.archlinux.no/extra/os/i686" 
"community" ---> "http://mirror.archlinux.no/community/os/i686" 
Root privileges retired. 
"/home/gert/.config/shaman/shaman.conf" 
>> 
>>        Shaman 1.0.9 
>>        Compiled against Qt 4.4.1 
>>        Running with Qt 4.4.3 
>> 
>>    Our website is @ http://shaman.iskrembilen.com/ , join in!! 
>>    You can also find a bugtracker in the website, please use it. 
>>  
>>    Have you found a bug? Help us solving it faster! Please read 
>>    http://shaman.iskrembilen.com/trac/wiki/Debugging_Shaman 
>>    and please follow these steps to report bugs effectively! 
>> 
>>    Starting Up Shaman... 
 
User agent is: "shaman/1.0.9 (Linux i686) libalpm/3.1.1" 
Shaman registered on the System Bus as ":1.51" 
Service org.archlinux.shaman successfully exported on the System Bus. 
--> UNSETENV HTTP_PROXY 
--> UNSETENV FTP_PROXY 
Populating Repo column 
Log file is: /var/log/pacman.log 
refinePkgView 
The left TextBox is over, let's do the ComboBox 
Show all packages 
Remove Package 
"Uninstall package: alunn" 
"alunn" 
"community" 
Process Queue 
Queue Dialog started 
Queue signals connected 
Starting Package Removal 
Root Privileges granted. 
Uid is: 1000 
Received Event Callback 
Alpm Thread Waiting. 
Entering Queue Lock 
Releasing Queue Lock 
Alpm Thread awake. 
Received Event Callback 
Alpm Thread Waiting. 
Entering Queue Lock 
Releasing Queue Lock 
Alpm Thread awake. 
Received Event Callback 
Alpm Thread Waiting. 
Entering Queue Lock 
No scriptlet for package  alunn 
Releasing Queue Lock 
Alpm Thread awake. 
Received Event Callback 
Alpm Thread Waiting. 
Entering Queue Lock 
No scriptlet for package  alunn 
Releasing Queue Lock 
Alpm Thread awake. 
/sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Ikke tilgang
Root privileges retired. 
Transaction Completed Successfully 
refinePkgView 
refinePkgView 
The left TextBox is over, let's do the ComboBox 
Show all packages 
[gert@flyktig ~]$

Offline

#2 2009-01-28 12:45:17

Cerebral
Forum Fellow
From: Waterloo, ON, CA
Registered: 2005-04-08
Posts: 3,108
Website

Re: Shaman doesn't ask for root password. But gets root privileges!!

Perhaps you should follow the link given when you launch it:

$ shaman

This process is currently running setuid or setgid.
GTK+ does not allow this therefore Qt cannot use the GTK+ integration.
Try launching your app using 'gksudo', 'kdesudo' or a similar tool.

See http://www.gtk.org/setuid.html for more information.

http://en.wikipedia.org/wiki/Setuid

The program's probably running setuid root.

-edit- Hm, it also seems to grab and drop root privelages as it sees fit:

Root Privileges granted. 
Uid is: 1000 
<...do a bunch of stuff...>
/sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Ikke tilgang
Root privileges retired.

Offline

#3 2009-01-28 12:50:10

whompus
Member
From: Durham. UK
Registered: 2005-08-09
Posts: 245

Re: Shaman doesn't ask for root password. But gets root privileges!!

When I first ran shaman there was a check box to not ask for the password again, did you have/leave this enabled?

Offline

#4 2009-01-28 12:50:24

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,361
Website

Re: Shaman doesn't ask for root password. But gets root privileges!!

My bet is that you save your root password when using it earlier...  Remove the shaman config directory (something line ~/.shaman or ~/.config/shaman) and you should start getting asked again.

Offline

#5 2009-01-28 12:53:05

naguz
Member
Registered: 2008-11-05
Posts: 95

Re: Shaman doesn't ask for root password. But gets root privileges!!

This process is currently running setuid or setgid.
GTK+ does not allow this therefore Qt cannot use the GTK+ integration.
Try launching your app using 'gksudo', 'kdesudo' or a similar tool.

The way I read this, it says it runs setuid, but GTK+ doesn't allow it, therefore it does not work. And because of this, it wants me to run it with gksu.

But I guess you are right, and this is not a bug, but a seriously flawed feature. By making an appropriate package and installing it with shaman, couldn't any user to take full control of the system quite easily?

If I change the permissions of the shaman executable so it cannot be run by normal users, i guess the problem (a it is in my eyes), solved?

I will try deleting the config file later. Pretty sure i have not ticked that box before. But maybe I did wen I installed under kdemod, oif the config file was kept after uninstall.

Last edited by naguz (2009-01-28 12:54:20)

Offline

#6 2009-01-28 16:46:42

naguz
Member
Registered: 2008-11-05
Posts: 95

Re: Shaman doesn't ask for root password. But gets root privileges!!

I deleted the config file, and then it asked for a password.
I had
[auth]
askforpwd=false
in it, so I guess the config-file from a previous install.

But then I deleted the config-file again, and ran a pacman -Rsn shaman. Installed shaman again. Then I put in the
[auth]
askforpwd=false
in the ~/.config/shaman/shaman.conf-file.

And it did not ask for a password. I must admit, if any user can just modify his shaman.config-file to run it with setuid root, without ever entering the root-password, it seems a bit unsecure. As I would think the shaman developers has a bit more knowledge in this field than me, I guess there is something I am missing?

Offline

#7 2009-01-28 17:47:37

whompus
Member
From: Durham. UK
Registered: 2005-08-09
Posts: 245

Re: Shaman doesn't ask for root password. But gets root privileges!!

Did you allow enough time for the password to expire before modifying the config file, I think the password is similar to sudo and stays in memory for 5 minutes.

Offline

#8 2009-01-29 19:46:33

naguz
Member
Registered: 2008-11-05
Posts: 95

Re: Shaman doesn't ask for root password. But gets root privileges!!

Uninstalled shaman yesterday, and deleted the shaman-folder under ~/.config.
Installed shaman again today. Started it up, and exited it, without entering any password. (Just to create a new and fresh shaman.conf file.)
Added the following two lines to the shaman.conf-file:
[auth]
askforpwd=false
and started shaman again. Never asked for a password, but installed packages without problems.

Tested with a test user account I have as well. 99% sure that user have never used shaman, ever. No shaman-folder in the .config folder either. Adding the two same lines worked there as well. Would be nice if anyone who haven't yet installed shaman on their system could try ad see if it worked for them as well.

Last edited by naguz (2009-01-29 20:00:44)

Offline

#9 2009-01-29 19:59:17

mandog
Member
From: Peru
Registered: 2008-09-17
Posts: 202

Re: Shaman doesn't ask for root password. But gets root privileges!!

askforpwd=false
that to me is wrong surely it should be 'askforpwd=true'


I'm dyslexic Please do not complain about puntuation or spelling and remember most dyslexic people have above average iq.

Offline

#10 2009-01-29 20:03:07

naguz
Member
Registered: 2008-11-05
Posts: 95

Re: Shaman doesn't ask for root password. But gets root privileges!!

mandog wrote:

askforpwd=false
that to me is wrong surely it should be 'askforpwd=true'

Yes, that is true. However, as any user can change his own shaman.conf-file, relying on that file to to deny users root-privileges wouldn't be a very good solution, would it?

Offline

#11 2009-01-30 14:11:07

whompus
Member
From: Durham. UK
Registered: 2005-08-09
Posts: 245

Re: Shaman doesn't ask for root password. But gets root privileges!!

Don't you still need the root password initially and if the user does not know it the the password will not be saved.
Maybe you should bring this up on the Chakra forum where drf the shaman developer can answer better.

Offline

#12 2009-01-30 15:28:09

Mr.Elendig
#archlinux@freenode channel op
From: The intertubes
Registered: 2004-11-07
Posts: 3,714

Re: Shaman doesn't ask for root password. But gets root privileges!!

Do you have sudo installed and set up for the user in question?


Evil #archlinux@freenode channel op and general support dude.
. files on github, Screenshots, Random pics and the rest

Offline

#13 2009-01-30 15:53:07

naguz
Member
Registered: 2008-11-05
Posts: 95

Re: Shaman doesn't ask for root password. But gets root privileges!!

whompus wrote:

Don't you still need the root password initially and if the user does not know it the the password will not be saved.
Maybe you should bring this up on the Chakra forum where drf the shaman developer can answer better.

No, tried with a new user account. It never had to enter a password at all. Just had to include the two lines in questipon to the users .config file.
Link to Chakra forum?

@Mr:Elendig: No. Not installed at all.

Offline

#14 2009-01-30 16:53:58

whompus
Member
From: Durham. UK
Registered: 2005-08-09
Posts: 245

Re: Shaman doesn't ask for root password. But gets root privileges!!

Offline

#15 2009-01-30 17:04:15

toad
Member
From: if only I knew
Registered: 2008-12-22
Posts: 1,775
Website

Re: Shaman doesn't ask for root password. But gets root privileges!!

@naguz

Where did you get those two lines from? Was it a little bird or were you told to blast them out into the open? afaik very few people were privvy to them prior to your post.

I don't get the rather sensational "headline" when the content of these two lines are rather self explanatory...

Whatever, hopefully they will not be needed any more for the next shaman.

Last edited by toad (2009-01-30 17:13:19)


never trust a toad...
::Grateful ArchDonor::
::Grateful Wikipedia Donor::

Offline

#16 2009-01-30 17:54:46

drf
Member
From: Milano, Italy
Registered: 2008-01-13
Posts: 113

Re: Shaman doesn't ask for root password. But gets root privileges!!

Exact. Those lines were meant for people having problems with that awful X+PAM bug I couldn't get over. By the way, with the next version Shaman will use policykit and will drop suid

Offline

#17 2009-01-30 19:46:10

naguz
Member
Registered: 2008-11-05
Posts: 95

Re: Shaman doesn't ask for root password. But gets root privileges!!

toad wrote:

@naguz

Where did you get those two lines from? Was it a little bird or were you told to blast them out into the open? afaik very few people were privvy to them prior to your post.

I don't get the rather sensational "headline" when the content of these two lines are rather self explanatory...

Whatever, hopefully they will not be needed any more for the next shaman.

The topic title was a result of my brain thinking "wtf is going on?" The two lines came from the .config-file from a user account whuch had opted to remember the password in Shaman.

If a program allows any user to become root simply by editing a config file in his/her own home folder, I find that to be a pretty major security hole. But hey, maybe thats just me.

Offline

#18 2009-01-30 20:10:28

Duologic
Member
From: Belgium
Registered: 2007-11-11
Posts: 249

Re: Shaman doesn't ask for root password. But gets root privileges!!

maybe check if the executable is owned by root, if so run

chmod -s /path/to/bin/shaman

'man chmod' says:

set user or group ID on execution (s)

Offline

#19 2009-05-01 11:43:33

naguz
Member
Registered: 2008-11-05
Posts: 95

Re: Shaman doesn't ask for root password. But gets root privileges!!

I would assume it is owned by root, as it uses setuuid root afaik.

People obviously don't care that any user can install or uninstall packages with shaman without knowing the root password, being in the wheel group etc., so i just uninstalled shaman (slow piece of software anyway) on the one machine others have access too, and decided its not my problem. Answered a bug report today @chakra which actually had gotten a reply after several months, so maybe it will get fixed, maybe not. Made me remember this thread too. Don't know why I felt the need to post here though. tongue

I guess pretty few people installs shaman on multi-user machines anyway, as they are usually centrally managed and updated, and thats why noone thinks its a big deal.

Offline

#20 2009-05-01 19:50:20

Primoz
Member
From: Ljubljana-Slovena-EU
Registered: 2009-03-04
Posts: 658

Re: Shaman doesn't ask for root password. But gets root privileges!!

It's a feature not a bug; AFAIK.
Shaman asks you if you want it to remember the root password and if you choose yes it won't ask for root password again.
I personally have no problem with that.


Arch x86_64 ATI AMD APU KDE frameworks 5
---------------------------------
Whatever I do, I always end up with something horribly mis-configured.

Offline

#21 2009-05-01 21:20:07

naguz
Member
Registered: 2008-11-05
Posts: 95

Re: Shaman doesn't ask for root password. But gets root privileges!!

The point of this thread was that you don't need to enter the root password at all. Not the first time, not ever.

As far as I understand, it is supposed to work like this: When you first use shaman too install anything, it asks for the root password You can tick a "Do not ask me again"-box, so you don't have to enter the password again. If you tick the box and enter the password, shaman add the lines
[auth]
askforpwd=false
to the users shaman.conf-file (~./config/shaman/shaman.conf) The next time shaman is run, it checks the config file, and if the askforpwd value is set to false, it grants itself root privileges (with some nifty setuuid root-thingy, I imagine) This is not the problem - this is the feature.

The bug is this:
the fact that any user can add the lines
[auth]
askforpwd=false
to his own shaman.conf file, without ever entering the root password in shaman. The next time shaman is run, it checks the config file, and if the askforpwd value is set to false, it grants itself root privileges - even though the user has never entered the root password.
This works for any unprivileged user on the system.

If that is indeed a feature intended by any sane person, then I'm Mother Mary. And that can't be, seeing as I don't have breasts.

Offline

#22 2009-05-01 21:31:43

toad
Member
From: if only I knew
Registered: 2008-12-22
Posts: 1,775
Website

Re: Shaman doesn't ask for root password. But gets root privileges!!

Wow, this still going? Cool. Have you tried again recently, naguz, or has it been fixed yet? afaik you are both right: it is a feature to overcome a bug smile

I wouldn't know how to do it, but suppose you had a shaman group or some such? Similar to vboxusers...

I don't really use it anymore for installing, but it still sits in the intray as a timely alert for impending Syus. I use it less for searching now than I used to.


never trust a toad...
::Grateful ArchDonor::
::Grateful Wikipedia Donor::

Offline

#23 2009-05-01 21:43:42

MoonSwan
Member
From: Great White North
Registered: 2008-01-23
Posts: 873

Re: Shaman doesn't ask for root password. But gets root privileges!!

drf wrote:

Exact. Those lines were meant for people having problems with that awful X+PAM bug I couldn't get over. By the way, with the next version Shaman will use policykit and will drop suid

Thats why that option exists, nothing more.


I'm torn apart between worlds. Basically, using vim in a highly visual environment with a lot of mouse features feels like soldering a lose wire to a motherboard with a Zippo and a needle, while working with ANY TEXT AT ALL with a "modern GUI" text editor feels like joining the London Philharmonic Orchestra with a Fisher-Price Laugh and Learn Magical Musical Mirror.  --Awebb

Offline

#24 2009-05-01 22:44:16

naguz
Member
Registered: 2008-11-05
Posts: 95

Re: Shaman doesn't ask for root password. But gets root privileges!!

toad wrote:

Wow, this still going? Cool. Have you tried again recently, naguz, or has it been fixed yet? afaik you are both right: it is a feature to overcome a bug smile

I wouldn't know how to do it, but suppose you had a shaman group or some such? Similar to vboxusers...

Nah, not fixed yet. Tested it today (or yesterday by 40mins) before posting. Newly created, unprivileged user 'Pete' was able to modify his shaman.conf file and install packages easy as pie.

Not usre what you are referring to by "shaman group", no group membership needed to do this.

It it is indeed intentional, then the 'sane person' part of my statement obviously fails. Couldnt it have been fixed much easier with a file with allowed users, only writeable by root? Why put in every users .config-dir? o.O

Offline

#25 2009-05-02 07:16:29

toad
Member
From: if only I knew
Registered: 2008-12-22
Posts: 1,775
Website

Re: Shaman doesn't ask for root password. But gets root privileges!!

naguz wrote:

Not usre what you are referring to by "shaman group", no group membership needed to do this... ... Couldnt it have been fixed much easier with a file with allowed users, only writeable by root? Why put in every users .config-dir? o.O

That is exactly what I meant smile


never trust a toad...
::Grateful ArchDonor::
::Grateful Wikipedia Donor::

Offline

Board footer

Powered by FluxBB