Shaman doesn't ask for root password. But gets root privileges!!

Allan · 2009-05-02 07:18:23

drf wrote:

Exact. Those lines were meant for people having problems with that awful X+PAM bug I couldn't get over. By the way, with the next version Shaman will use policykit and will drop suid

Just quoting this to remind people that this discussion is moot...

naguz · 2009-05-02 08:29:49

Aha, yup, it would make much more sense.
red: that was @ Toad.
@trd: If you had problems implementing ssh authorization in something, then you'd just turn it of for the sake of simplicity too?
Releasing an app with an intended critical flaw and not even throw in a warning...
I'm sure I would do that too. If I new how to code anything. And was in a drunken stupor. And stone as hell. And had a bad day on top of it.

Last edited by naguz (2009-05-02 15:41:08)

Primoz · 2009-05-02 16:15:16

naguz wrote:

The bug is this:
the fact that any user can add the lines
[auth]
askforpwd=false
to his own shaman.conf file, without ever entering the root password in shaman. The next time shaman is run, it checks the config file, and if the askforpwd value is set to false, it grants itself root privileges - even though the user has never entered the root password.
This works for any unprivileged user on the system.
If that is indeed a feature intended by any sane person, then I'm Mother Mary. And that can't be, seeing as I don't have breasts.

Well I have the same bug.
There are two shaman.conf files. one in /etc/dbus-1/system.d/ which is read-only and other in /home/primoz/.config/shaman which is read/write.
So technically I could edit this file frist time and grant me root privilege without giving root password.

You should report the bug at the http://www.chakra-project.org/bugs/ if you haven't allready (or I can isntead of you, but you kow best).

naguz · 2009-05-03 12:25:21

I have done it already bad bug report though, as usual when I file one. But you can vote&confirm here. Maybe it gets more attention then. But according to trd it is intended. Intending a bug is in my opinion not enough to call it a feature. Cause there really is not a question about it: this is a bug, and a big nasty one too.

Last edited by naguz (2009-05-03 12:27:12)

raf_kig · 2009-05-03 14:24:05

Wow, nicely done.
Takes about a minute to craft a package that will open a root shell for you and install it with shaman.

Now that's security taken seriously.

/e

for your convenience:
add

 
[auth]
askforpwd=false

to ~/.config/shaman/shaman.conf

download http://www.stud.uni-karlsruhe.de/~ugbog … pkg.tar.gz
open shaman, actions -> install package from file and point it to the downloaded file
run /bin/gimmeroot and enjoy a root shell :-0

regards

raf

Last edited by raf_kig (2009-05-03 14:31:06)

naguz · 2009-05-03 15:22:11

raf_kig wrote:

Wow, nicely done.
Now that's security taken seriously.

Yup, indeed. But "Hey, I didn't manage to do it the right way, so I did it in a really bad way instead." _o_ _o/ _o_ \o_ _o_ _o/ \o/

drf · 2009-05-04 22:22:06

naguz wrote:

raf_kig wrote:
Wow, nicely done.
Now that's security taken seriously.
Yup, indeed. But "Hey, I didn't manage to do it the right way, so I did it in a really bad way instead." _o_ _o/ _o_ \o_ _o_ _o/ \o/

Wow, you're so right. Obviously you can do it right. But hey... where's your patch? Where's some code? I guess well, yours are just words. So I'll try to be polite and don't say what you can do with them. And now, I repeat: I added that exploit INTENTIONALLY since PAM+X gets buggy on quite some systems. And now, security experts, listen to these words:

I don't see yet a user getting his system fucked up by this, and I'll tell you why: most people (build servers, just to name a casual target) have sudo with no password with the pacman command. In what way does this differ from the approach above? I'll tell you: in no way. It differs only when a user with no admin powers get in touch with Shaman. But well, in this case there's a sysadmin behind and he should know he shouldn't even have installed a GUI for package management for all users.

And now go and hit me with your exploit. You have 2 possibilities.

* Get right behind my back and start Shaman. Well, in the case, you'd better unplug the hard drive and run, it would be faster
* Open a shell, connect to my pc hijacking a connection, then find a shell exploit (no, Shaman doesn't open root shells if you say "ahsvnajsf"), enter in a shell, start shaman, find a way to control a GUI program from a shell, or have a exploit on a VNC, and finally, use your hackerish l33t exploit! Makes sense, anyone can use it. What's more nice, if you could open a shell on a user, you could have done it with root too.

So please, think twice before saying anything that goes beyond your level of knowledge. You both found out that installing packages can be dangerous. Wow, you should go to Blackhat now.

Sorry for the tone, had a bad day, and hearing such a pile of shit can't help but making me even more nervous

BTW; the next version of Shaman, that uses the only secure way of doing such a thing that is PolicyKit, will be delayed until a showstopper patch (for shaman) gets into the pacman tree

Last edited by drf (2009-05-04 22:23:47)

bender02 · 2009-05-05 06:55:02

drf wrote:

I don't see yet a user getting his system fucked up by this, and I'll tell you why: most people (build servers, just to name a casual target) have sudo with no password with the pacman command. In what way does this differ from the approach above? I'll tell you: in no way. It differs only when a user with no admin powers get in touch with Shaman. But well, in this case there's a sysadmin behind and he should know he shouldn't even have installed a GUI for package management for all users.

The problem is that he/she by *setting up sudo with no password* is *consciously accepting the risk*. While installing shaman he/she *just installs a package that has no big fat warning that any user can get root privileges without his/her knowledge and change the system files*. That's the security risk.

BTW, setting up sudo without a password on a publicly accessible computer is usually done only for certain users, not for everyone (otherwise that person deserves to have his server hardware fried up and served for dinner).

While I understand that it's not easy and always fun to program a thing like shaman, this *is* a security hole, regardless whether you call it a feature or not, and I'm looking forward to the new version that would not have this hole. Meanwhile, you could at least add a big fat warning to the .install script of shaman that tells users about this.

naguz · 2009-05-05 06:56:55

Well, as I said in a post above: "If I could code".
If were you, stressing that it was intentional, is something I really wouldn't do.
You say sysadmins on computers "should know he shouldn't even have installed a GUI for package management for all users." I agree. But you do not make this info readily available to people installing shaman. Anyway, I feel that admin tools should under no circumstanses be open to unprivileged users as default. I would imagine you could agree with me on that too?

As for a patch, I can not make one (I could made a diff patch after patching the code, but patching the code is above@beyond me.) I have, however, suggested a solution: move the conf file (or make another one) in /etc/shaman.conf or wherever such files are supposed to be. Make it writeable to root/wheel only. I cannot imagine it taking much codechange to accomplish this. If this is in any way a worse solution than a config file writeable to any user on the system: please, enligthen me as to why that is so. I could very wel have missed something obvious. I am no programmer, coder or "1337 haxxxor". I am a student with very limited time to tinker with my dear darlings (aka computers and gadgets). If I in any way (intentionlly) offended you, I'm sorry. I shouldn't have. It's not like I have paid you to develop apps for me.

I do not in any way think I know this better than any one else. Well, in a way. I don't think "I don't see yet a user getting his system fucked up by this" is a reason to give any unprivileged user root access to a machine with shaman installed. Especially since a user has no easy way of knowing this when he installs shaman. And at that specific point I don't think you'll be able to convince me otherwise. And simply ignoring the bug for so long, without even throwing in a warning, I find that to be a bad attitude both towards users and security.

raf_kig · 2009-05-05 08:26:03

drf wrote:

I added that exploit INTENTIONALLY since PAM+X gets buggy on quite some systems.

Yeah thats the worst thing about it. What about just writing an faq entry saying 'if you are unable to get pam+x set up in the right way you can set the file suid root' ?

drf wrote:

I don't see yet a user getting his system fucked up by this, and I'll tell you why: most people (build servers, just to name a casual target) have sudo with no password with the pacman command.

Most people? None that I know for sure. There is a reason for having to enter a password when you want to do systemwide changes.
And what does running pacman as unprivileged user has to do with a buildserver?

drf wrote:

In what way does this differ from the approach above? I'll tell you: in no way.

1) Most people I know wouldn't use such a retarded setup.
2) If you insist on such a stupid setup you'll at least have to do it explicitly.

drf wrote:

[ flame ]

Yeah exactly, thanks for the discussion

/edit
I just saw this nice dialog when running shaman without suid. (emphasize mine)

shaman wrote:

Shaman could not switch to root.
Probably you have not set the SUID bit to it.
You can do that by issuing as root
chown root shaman && chmod u+s shaman.
Note that this is safe, please read Shaman wiki
for more details.

I think I don't need to say anything else.

Last edited by raf_kig (2009-05-05 08:38:55)

drf · 2009-05-05 08:59:34

Not adding anything else since this discussion can be turn just into a flamethrower, I'll just say that what you marked with [flame] is correct, and the reason I marked it as "safe" it's because it gets privileges just during root operations, and not throughout the whole period of activity. I'll just quote again:

BTW; the next version of Shaman, that uses the only secure way of doing such a thing that is PolicyKit, will be delayed until a showstopper patch (for shaman) gets into the pacman tree

This bug, security hole, whatever you want to call it, should have gone away since months and it was meant to be a temporary, bad hack, as already told, and it was not ignored, neither a definitive solution. Would it mean something if you knew that I'm one of the 2 developers behind polkit-qt and PolicyKit-KDE and one of the reasons I offered to work on them was Shaman? It doesn't look to me like ignoring.

However, we (both me and Pacman developers) have limited time these days and couldn't work this out quickly. If you want to use shaman safely, check it out from git, apply the fetch callback patch to pacman (find it in the pacman mailing list), and enjoy some safety. Apart from that, if you don't want to do it, remove Shaman and file a bug against it to be removed from community, I have nothing against it. But bear in mind that if you want things to happen, most of the times you have to give a hand. I have *plenty* of things to hack on, and I am doing it all in my free time.

naguz, what you said makes sense, and it is probably a better solution than the current one. However, Allan told me that he will try his best to get that patch into the tree for next Pacman release, so I think it's pointless now to patch the old Shaman, that is way different in many senses than the new one, hoping both me and Pacman devs will be able to manage a release in a month. If that's not the case, I'll try to get a patch in shape, but I'd really appreciate it if somebody could make one, as I don't have time to maintain 2 different codebases (as the next version of Shaman is actually a pretty different codebase).

For now, your solution is simply #pacman -R shaman. Or, follow bender02's advice.

Allan · 2009-05-05 09:46:15

raf_kig wrote:

drf wrote:
I don't see yet a user getting his system fucked up by this, and I'll tell you why: most people (build servers, just to name a casual target) have sudo with no password with the pacman command.
Most people? None that I know for sure. There is a reason for having to enter a password when you want to do systemwide changes.
And what does running pacman as unprivileged user has to do with a buildserver?

You seem to have never used "makepkg -s"

Now.... what to do with this thread from a moderators point view?

toad · 2009-05-05 16:46:30

Close the bugger and perhaps drop a hint as to when we can expect the all dancing, singing and tea making new version of shaman

Arch Linux

#26 2009-05-02 07:18:23

Re: Shaman doesn't ask for root password. But gets root privileges!!

#27 2009-05-02 08:29:49

Re: Shaman doesn't ask for root password. But gets root privileges!!

#28 2009-05-02 16:15:16

Re: Shaman doesn't ask for root password. But gets root privileges!!

#29 2009-05-03 12:25:21

Re: Shaman doesn't ask for root password. But gets root privileges!!

#30 2009-05-03 14:24:05

Re: Shaman doesn't ask for root password. But gets root privileges!!

#31 2009-05-03 15:22:11

Re: Shaman doesn't ask for root password. But gets root privileges!!

#32 2009-05-04 22:22:06

Re: Shaman doesn't ask for root password. But gets root privileges!!

#33 2009-05-05 06:55:02

Re: Shaman doesn't ask for root password. But gets root privileges!!

#34 2009-05-05 06:56:55

Re: Shaman doesn't ask for root password. But gets root privileges!!

#35 2009-05-05 08:26:03

Re: Shaman doesn't ask for root password. But gets root privileges!!

#36 2009-05-05 08:59:34

Re: Shaman doesn't ask for root password. But gets root privileges!!

#37 2009-05-05 09:46:15

Re: Shaman doesn't ask for root password. But gets root privileges!!

#38 2009-05-05 16:46:30

Re: Shaman doesn't ask for root password. But gets root privileges!!

Board footer