Using gconf in setuid program?

From: David Zeuthen <david fubar dk>
To: gconf-list gnome org
Subject: Using gconf in setuid program?
Date: Mon, 27 Jun 2005 21:05:59 -0400

Hi,

I have a few questions on whether it's safe to use gconf from a
privileged program. 

Now it's probably easier to explain by example so here goes. So,
basically, I'm working on writing a GNOME-ish replacement for mount(1)
that will read settings from gconf about a) whether a filesystem can be
mounted at all; and  b) retrieve what mount point, mount options etc. to
use. The replacement (let's call it "gnome-mount" for now) would also
sport better dialogs and possible interaction with the user.

So, the planned architecture is pretty simple (assume the desktop user
has uid 500)

                                       read
 +---------------------------------+  settings  +-----+
 | gnome-mount (uid=500, euid=500) |------------|gconf|
 +---------------------------------+            +-----+
           ^
           | communicate via stdin/stdout
           |  in: /dev/file, /mount/point, [mount options]
           | out: return code
           V
   +--------------------------------------+
   | gnome-mount-helper (uid=500, euid=0) | <-- "setuid root" binary
   +--------------------------------------+

where gnome-mount is an unprivileged front-end (with the ability to show
dialogs etc.) and gnome-mount-helper is a privileged setuid helper. So,
clearly the helper should be minimal in terms of code size and libraries
it drags in (so it can be audited). 

OTOH, we want the helper to be as paranoid as possible - it basically
needs to verify every single piece of data to enforce policy (only allow
mounts in /media, don't allow uid=xyz on certain file systems, etc.).

Specifically, to do this, it need to read the default policy and this
kind of needs to be configurable. So, since it needs to do this it makes
sense to put the default policy to be in gconf. Specifically, say, for
the key /system/storage/can_mount_external_drives_rw, I want to retrieve
this value in gnome-mount-helper and, based on the boolean value, make a
decision whether we can mount a certain file system read/write or only
read-only (think lockdown in an enterprise).

The reason I want to this to be in gconf should be pretty clear;
sysadmins can easily lock this down by putting e.g. setting
can_mount_external_drives_rw to FALSE as a mandatory setting and so
forth.

One naive solution is to make gnome-mount-helper link with libgconf-2
but I'm worried about the amount of code that will run with euid 0.
Another solution could be to invoke gconftool-2 from gnome-mount-helper
(basically: fork(), seteuid(getuid()) to drop all privileges, exec
gconftool-2 and look at output, done). Would this work? E.g. can I trust
that I get the right result, e.g. the FALSE from the mandatory setting?

I realize that it's possible that I'm on crack and I shouldn't use gconf
for this because of obvious (?) security holes. Please advise.

Thanks,
David

ps. : Btw, I'm also curious what the long term solution to this kind of
problem is

Follow-Ups:
- Re: Using gconf in setuid program?
  - From: Mark McLoughlin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]