Minimise security risks with an application that needs root?

Unia · 2014-03-18 17:57:38

Hey all,

For one of my university classes (Logic Based Artificial Intelligence) I have to run Eclipse with a specific plugin (for the GOAL programming language). However, this plugin will only function with Eclipse being executed as root. On top of this, to get the plugin to even install, I have to install the plugin itself and some dependencies from untrusted plugin repositories.

Needless to say, I don't like it. Can I somehow minimise the security risk this exposes?

drcouzelis · 2014-03-18 18:01:17

You could dual-boot with a "throwaway" Linux installation.

What causes the plugin to need to be root? If it just needs write access to a directory you could modify the directory permissions.

Unia · 2014-03-18 18:04:29

I'm not sure, it doesn't say why. For the Windows version they say you either need write permissions or to run Eclipse as administrator.

When I install the plugin in Eclipse executed as my user it does not install itself in the ~/.eclipse/foo/plugins directory so I'm not sure what is going on here. The other plugins I need install fine in there.

Scratch that, it does install. The assignment is rather big and is due sunday, so I don't have much time to investigate why it needs root permissions. I'll continue looking into it for a bit but I would prefer to get going.

Last edited by Unia (2014-03-18 18:46:38)

Unia · 2014-03-18 20:30:11

Well, it has happened. I went ahead and ran Eclipse as root and installed the plugins. I have little time to figure everything out, and I figured that since it is my university that recommended me the plugins I should be safe.

I was wrong. After a while I couldn't launch termite anymore (it exited right away) and also dmenu wouldn't start. I decided to reboot and now I get thrown out as soon as I log in, both as user and as root. Note that it does accept my password.

Is there anything I can do to see what is going on? I have a live usb around to so I can check whatever files I should. I'm currently installing everything on another unused laptop to see if the same happens.

Note that I had a fresh system, I just reinstalled yesterday.

Last edited by Unia (2014-03-18 20:30:51)

ewaller · 2014-03-18 20:54:28

Unia wrote:

Can I somehow minimise the security risk this exposes?

I cannot offer much to help you in your current situation, but you might try and chroot into the environment at see if you can figure out what it did. Maybe use the find command to locate any files changed on the fateful day.

In the future, consider setting up a virtual machine. Install what you want in the VM jail and not worry about your real system. You could (with the proper licenses) even build a Windows environment if that is the environment to which the course is more amenable.

Unia · 2014-03-18 21:26:51

Thanks for the tip to check out modified files. I ran a check for files that have changed in the last few hours. The only strange things I could find where log files in /var/log showing weird glyphs, almost like a binary file.

No files in /etc were touched, except for a file in /etc/ld.so.conf.d which loads a file related to the GOAL plugin.

So all in all, nothing that (AFAIK) would make me unable to log in. Unless it deleted some files, does find list deleted files?

Unia · 2014-03-18 22:28:55

I found the culprit. Turned out I was a bit too paranoid: it was today's bash update. I missed it because I updated this afternoon, shutdown my laptop and then was able to log in on the next boot at which I ran Eclipse.

The error I got was a symbol lookup error (undefined symbol) rl_signal_event_hook. A friend of mine confirmed this by updating bash. I got around it by pacstrapping zsh onto my system, chrooting into it (bash obviously didn't work) and then downgrading bash.

Should I report this issue somewhere?

karol · 2014-03-18 22:43:10

Allan did the 4.3-2 update, and even though bash is not maintained by Allan anymore (Bartłomiej Piotrowski is the new maintainer), we can still blame him :-)
If you run into such problems, I think a bug report is in order.

Unia · 2014-03-18 22:51:29

The bug is not in vanilla bash. The GOAL plugin for Eclipse overrides libreadline and libncurses:

┌─jente @ ~ 01:43:45 
└─╼ ldd /bin/bash
	linux-vdso.so.1 (0x00007fff26dfe000)
	libreadline.so.6 => /usr/share/eclipse/plugins/org.eclipse.gdt_1.0.0.201403161449/lib/linux/libreadline.so.6 (0x00007fb4c86b6000)
	libncursesw.so.5 => /usr/lib/libncursesw.so.5 (0x00007fb4c8451000)
	libdl.so.2 => /usr/lib/libdl.so.2 (0x00007fb4c824d000)
	libc.so.6 => /usr/lib/libc.so.6 (0x00007fb4c7ea5000)
	libncurses.so.5 => /usr/share/eclipse/plugins/org.eclipse.gdt_1.0.0.201403161449/lib/linux/libncurses.so.5 (0x00007fb4c7c61000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fb4c88f8000)

That's why I was able to login normally after the bash update but before installing the plugin... I will report this at my professor!

karol · 2014-03-18 23:32:42

Interesting. The Chinese curse type of "interesting".

Arch Linux

#1 2014-03-18 17:57:38

Minimise security risks with an application that needs root?

#2 2014-03-18 18:01:17

Re: Minimise security risks with an application that needs root?

#3 2014-03-18 18:04:29

Re: Minimise security risks with an application that needs root?

#4 2014-03-18 20:30:11

Re: Minimise security risks with an application that needs root?

#5 2014-03-18 20:54:28

Re: Minimise security risks with an application that needs root?

#6 2014-03-18 21:26:51

Re: Minimise security risks with an application that needs root?

#7 2014-03-18 22:28:55

Re: Minimise security risks with an application that needs root?

#8 2014-03-18 22:43:10

Re: Minimise security risks with an application that needs root?

#9 2014-03-18 22:51:29

Re: Minimise security risks with an application that needs root?

#10 2014-03-18 23:32:42

Re: Minimise security risks with an application that needs root?

Board footer