Shaman doesn't ask for root password. But gets root privileges!!

naguz · 2009-01-28 12:39:05

As the title says:
Shaman is launched as a reguler user, never asks for root password, but still i able to install and uninstall packages.
Either something in my system is seriously fucked, or there is a major securiy problem with shaman.

Running openbox, installed shaman while running gnome, if that has anythiung to say. Sudo is not installed.

Output from running shaman in terminal:

[gert@flyktig ~]$ shaman

This process is currently running setuid or setgid.
GTK+ does not allow this therefore Qt cannot use the GTK+ integration.
Try launching your app using 'gksudo', 'kdesudo' or a similar tool.

See http://www.gtk.org/setuid.html for more information.

Translations are enabled. 
Loading translations from "/usr/share/shaman/translations/" 
Parsing  "core" 
Parser exited 
Parsing  "extra" 
Parser exited 
Parsing  "community" 
Parser exited 
Parser exited 
Log File should be: "" 
"core" ---> "http://mirror.archlinux.no/core/os/i686" 
"extra" ---> "http://mirror.archlinux.no/extra/os/i686" 
"community" ---> "http://mirror.archlinux.no/community/os/i686" 
Root privileges retired. 
"/home/gert/.config/shaman/shaman.conf" 
>> 
>>        Shaman 1.0.9 
>>        Compiled against Qt 4.4.1 
>>        Running with Qt 4.4.3 
>> 
>>    Our website is @ http://shaman.iskrembilen.com/ , join in!! 
>>    You can also find a bugtracker in the website, please use it. 
>>  
>>    Have you found a bug? Help us solving it faster! Please read 
>>    http://shaman.iskrembilen.com/trac/wiki/Debugging_Shaman 
>>    and please follow these steps to report bugs effectively! 
>> 
>>    Starting Up Shaman... 
 
User agent is: "shaman/1.0.9 (Linux i686) libalpm/3.1.1" 
Shaman registered on the System Bus as ":1.51" 
Service org.archlinux.shaman successfully exported on the System Bus. 
--> UNSETENV HTTP_PROXY 
--> UNSETENV FTP_PROXY 
Populating Repo column 
Log file is: /var/log/pacman.log 
refinePkgView 
The left TextBox is over, let's do the ComboBox 
Show all packages 
Remove Package 
"Uninstall package: alunn" 
"alunn" 
"community" 
Process Queue 
Queue Dialog started 
Queue signals connected 
Starting Package Removal 
Root Privileges granted. 
Uid is: 1000 
Received Event Callback 
Alpm Thread Waiting. 
Entering Queue Lock 
Releasing Queue Lock 
Alpm Thread awake. 
Received Event Callback 
Alpm Thread Waiting. 
Entering Queue Lock 
Releasing Queue Lock 
Alpm Thread awake. 
Received Event Callback 
Alpm Thread Waiting. 
Entering Queue Lock 
No scriptlet for package  alunn 
Releasing Queue Lock 
Alpm Thread awake. 
Received Event Callback 
Alpm Thread Waiting. 
Entering Queue Lock 
No scriptlet for package  alunn 
Releasing Queue Lock 
Alpm Thread awake. 
/sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Ikke tilgang
Root privileges retired. 
Transaction Completed Successfully 
refinePkgView 
refinePkgView 
The left TextBox is over, let's do the ComboBox 
Show all packages 
[gert@flyktig ~]$

Cerebral · 2009-01-28 12:45:17

Perhaps you should follow the link given when you launch it:

$ shaman

This process is currently running setuid or setgid.
GTK+ does not allow this therefore Qt cannot use the GTK+ integration.
Try launching your app using 'gksudo', 'kdesudo' or a similar tool.

See http://www.gtk.org/setuid.html for more information.

http://en.wikipedia.org/wiki/Setuid

The program's probably running setuid root.

-edit- Hm, it also seems to grab and drop root privelages as it sees fit:

Root Privileges granted. 
Uid is: 1000 
<...do a bunch of stuff...>
/sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Ikke tilgang
Root privileges retired.

whompus · 2009-01-28 12:50:10

When I first ran shaman there was a check box to not ask for the password again, did you have/leave this enabled?

Allan · 2009-01-28 12:50:24

My bet is that you save your root password when using it earlier... Remove the shaman config directory (something line ~/.shaman or ~/.config/shaman) and you should start getting asked again.

naguz · 2009-01-28 12:53:05

This process is currently running setuid or setgid.
GTK+ does not allow this therefore Qt cannot use the GTK+ integration.
Try launching your app using 'gksudo', 'kdesudo' or a similar tool.

The way I read this, it says it runs setuid, but GTK+ doesn't allow it, therefore it does not work. And because of this, it wants me to run it with gksu.

But I guess you are right, and this is not a bug, but a seriously flawed feature. By making an appropriate package and installing it with shaman, couldn't any user to take full control of the system quite easily?

If I change the permissions of the shaman executable so it cannot be run by normal users, i guess the problem (a it is in my eyes), solved?

I will try deleting the config file later. Pretty sure i have not ticked that box before. But maybe I did wen I installed under kdemod, oif the config file was kept after uninstall.

Last edited by naguz (2009-01-28 12:54:20)

naguz · 2009-01-28 16:46:42

I deleted the config file, and then it asked for a password.
I had
[auth]
askforpwd=false
in it, so I guess the config-file from a previous install.

But then I deleted the config-file again, and ran a pacman -Rsn shaman. Installed shaman again. Then I put in the
[auth]
askforpwd=false
in the ~/.config/shaman/shaman.conf-file.

And it did not ask for a password. I must admit, if any user can just modify his shaman.config-file to run it with setuid root, without ever entering the root-password, it seems a bit unsecure. As I would think the shaman developers has a bit more knowledge in this field than me, I guess there is something I am missing?

whompus · 2009-01-28 17:47:37

Did you allow enough time for the password to expire before modifying the config file, I think the password is similar to sudo and stays in memory for 5 minutes.

naguz · 2009-01-29 19:46:33

Uninstalled shaman yesterday, and deleted the shaman-folder under ~/.config.
Installed shaman again today. Started it up, and exited it, without entering any password. (Just to create a new and fresh shaman.conf file.)
Added the following two lines to the shaman.conf-file:
[auth]
askforpwd=false
and started shaman again. Never asked for a password, but installed packages without problems.

Tested with a test user account I have as well. 99% sure that user have never used shaman, ever. No shaman-folder in the .config folder either. Adding the two same lines worked there as well. Would be nice if anyone who haven't yet installed shaman on their system could try ad see if it worked for them as well.

Last edited by naguz (2009-01-29 20:00:44)

mandog · 2009-01-29 19:59:17

askforpwd=false
that to me is wrong surely it should be 'askforpwd=true'

naguz · 2009-01-29 20:03:07

mandog wrote:

askforpwd=false
that to me is wrong surely it should be 'askforpwd=true'

Yes, that is true. However, as any user can change his own shaman.conf-file, relying on that file to to deny users root-privileges wouldn't be a very good solution, would it?

whompus · 2009-01-30 14:11:07

Don't you still need the root password initially and if the user does not know it the the password will not be saved.
Maybe you should bring this up on the Chakra forum where drf the shaman developer can answer better.

Mr.Elendig · 2009-01-30 15:28:09

Do you have sudo installed and set up for the user in question?

naguz · 2009-01-30 15:53:07

whompus wrote:

Don't you still need the root password initially and if the user does not know it the the password will not be saved.
Maybe you should bring this up on the Chakra forum where drf the shaman developer can answer better.

No, tried with a new user account. It never had to enter a password at all. Just had to include the two lines in questipon to the users .config file.
Link to Chakra forum?

@Mr:Elendig: No. Not installed at all.

whompus · 2009-01-30 16:53:58

http://www.chakra-project.org/bbs/

toad · 2009-01-30 17:04:15

@naguz

Where did you get those two lines from? Was it a little bird or were you told to blast them out into the open? afaik very few people were privvy to them prior to your post.

I don't get the rather sensational "headline" when the content of these two lines are rather self explanatory...

Whatever, hopefully they will not be needed any more for the next shaman.

Last edited by toad (2009-01-30 17:13:19)

drf · 2009-01-30 17:54:46

Exact. Those lines were meant for people having problems with that awful X+PAM bug I couldn't get over. By the way, with the next version Shaman will use policykit and will drop suid

naguz · 2009-01-30 19:46:10

toad wrote:

@naguz
Where did you get those two lines from? Was it a little bird or were you told to blast them out into the open? afaik very few people were privvy to them prior to your post.
I don't get the rather sensational "headline" when the content of these two lines are rather self explanatory...
Whatever, hopefully they will not be needed any more for the next shaman.

The topic title was a result of my brain thinking "wtf is going on?" The two lines came from the .config-file from a user account whuch had opted to remember the password in Shaman.

If a program allows any user to become root simply by editing a config file in his/her own home folder, I find that to be a pretty major security hole. But hey, maybe thats just me.

Duologic · 2009-01-30 20:10:28

maybe check if the executable is owned by root, if so run

chmod -s /path/to/bin/shaman

'man chmod' says:

set user or group ID on execution (s)

naguz · 2009-05-01 11:43:33

I would assume it is owned by root, as it uses setuuid root afaik.

People obviously don't care that any user can install or uninstall packages with shaman without knowing the root password, being in the wheel group etc., so i just uninstalled shaman (slow piece of software anyway) on the one machine others have access too, and decided its not my problem. Answered a bug report today @chakra which actually had gotten a reply after several months, so maybe it will get fixed, maybe not. Made me remember this thread too. Don't know why I felt the need to post here though.

I guess pretty few people installs shaman on multi-user machines anyway, as they are usually centrally managed and updated, and thats why noone thinks its a big deal.

Primoz · 2009-05-01 19:50:20

It's a feature not a bug; AFAIK.
Shaman asks you if you want it to remember the root password and if you choose yes it won't ask for root password again.
I personally have no problem with that.

naguz · 2009-05-01 21:20:07

The point of this thread was that you don't need to enter the root password at all. Not the first time, not ever.

As far as I understand, it is supposed to work like this: When you first use shaman too install anything, it asks for the root password You can tick a "Do not ask me again"-box, so you don't have to enter the password again. If you tick the box and enter the password, shaman add the lines
[auth]
askforpwd=false
to the users shaman.conf-file (~./config/shaman/shaman.conf) The next time shaman is run, it checks the config file, and if the askforpwd value is set to false, it grants itself root privileges (with some nifty setuuid root-thingy, I imagine) This is not the problem - this is the feature.

The bug is this:
the fact that any user can add the lines
[auth]
askforpwd=false
to his own shaman.conf file, without ever entering the root password in shaman. The next time shaman is run, it checks the config file, and if the askforpwd value is set to false, it grants itself root privileges - even though the user has never entered the root password.
This works for any unprivileged user on the system.

If that is indeed a feature intended by any sane person, then I'm Mother Mary. And that can't be, seeing as I don't have breasts.

toad · 2009-05-01 21:31:43

Wow, this still going? Cool. Have you tried again recently, naguz, or has it been fixed yet? afaik you are both right: it is a feature to overcome a bug

I wouldn't know how to do it, but suppose you had a shaman group or some such? Similar to vboxusers...

I don't really use it anymore for installing, but it still sits in the intray as a timely alert for impending Syus. I use it less for searching now than I used to.

MoonSwan · 2009-05-01 21:43:42

drf wrote:

Exact. Those lines were meant for people having problems with that awful X+PAM bug I couldn't get over. By the way, with the next version Shaman will use policykit and will drop suid

Thats why that option exists, nothing more.

naguz · 2009-05-01 22:44:16

toad wrote:

Wow, this still going? Cool. Have you tried again recently, naguz, or has it been fixed yet? afaik you are both right: it is a feature to overcome a bug
I wouldn't know how to do it, but suppose you had a shaman group or some such? Similar to vboxusers...

Nah, not fixed yet. Tested it today (or yesterday by 40mins) before posting. Newly created, unprivileged user 'Pete' was able to modify his shaman.conf file and install packages easy as pie.

Not usre what you are referring to by "shaman group", no group membership needed to do this.

It it is indeed intentional, then the 'sane person' part of my statement obviously fails. Couldnt it have been fixed much easier with a file with allowed users, only writeable by root? Why put in every users .config-dir? o.O

toad · 2009-05-02 07:16:29

naguz wrote:

Not usre what you are referring to by "shaman group", no group membership needed to do this... ... Couldnt it have been fixed much easier with a file with allowed users, only writeable by root? Why put in every users .config-dir? o.O

That is exactly what I meant

Arch Linux

#1 2009-01-28 12:39:05

Shaman doesn't ask for root password. But gets root privileges!!

#2 2009-01-28 12:45:17

Re: Shaman doesn't ask for root password. But gets root privileges!!

#3 2009-01-28 12:50:10

Re: Shaman doesn't ask for root password. But gets root privileges!!

#4 2009-01-28 12:50:24

Re: Shaman doesn't ask for root password. But gets root privileges!!

#5 2009-01-28 12:53:05

Re: Shaman doesn't ask for root password. But gets root privileges!!

#6 2009-01-28 16:46:42

Re: Shaman doesn't ask for root password. But gets root privileges!!

#7 2009-01-28 17:47:37

Re: Shaman doesn't ask for root password. But gets root privileges!!

#8 2009-01-29 19:46:33

Re: Shaman doesn't ask for root password. But gets root privileges!!

#9 2009-01-29 19:59:17

Re: Shaman doesn't ask for root password. But gets root privileges!!

#10 2009-01-29 20:03:07

Re: Shaman doesn't ask for root password. But gets root privileges!!

#11 2009-01-30 14:11:07

Re: Shaman doesn't ask for root password. But gets root privileges!!

#12 2009-01-30 15:28:09

Re: Shaman doesn't ask for root password. But gets root privileges!!

#13 2009-01-30 15:53:07

Re: Shaman doesn't ask for root password. But gets root privileges!!

#14 2009-01-30 16:53:58

Re: Shaman doesn't ask for root password. But gets root privileges!!

#15 2009-01-30 17:04:15

Re: Shaman doesn't ask for root password. But gets root privileges!!

#16 2009-01-30 17:54:46

Re: Shaman doesn't ask for root password. But gets root privileges!!

#17 2009-01-30 19:46:10

Re: Shaman doesn't ask for root password. But gets root privileges!!

#18 2009-01-30 20:10:28

Re: Shaman doesn't ask for root password. But gets root privileges!!

#19 2009-05-01 11:43:33

Re: Shaman doesn't ask for root password. But gets root privileges!!

#20 2009-05-01 19:50:20

Re: Shaman doesn't ask for root password. But gets root privileges!!

#21 2009-05-01 21:20:07

Re: Shaman doesn't ask for root password. But gets root privileges!!

#22 2009-05-01 21:31:43

Re: Shaman doesn't ask for root password. But gets root privileges!!

#23 2009-05-01 21:43:42

Re: Shaman doesn't ask for root password. But gets root privileges!!

#24 2009-05-01 22:44:16

Re: Shaman doesn't ask for root password. But gets root privileges!!

#25 2009-05-02 07:16:29

Re: Shaman doesn't ask for root password. But gets root privileges!!

Board footer