RFC: init-d-script add optional setpriv wrapper for s-s-d.
Mark Hindley
mark at hindley.org.uk
Thu Sep 5 09:44:33 BST 2024
On Wed, Sep 04, 2024 at 12:52:51PM +0000, Thorsten Glaser wrote:
> >I will experiment more to see if you can drop
> >sufficient capabilities to break s-s-d.
I have only managed to force one breakage. If s-s-d is called with --chuid it
uses setuid() and requires CAP_SETUID and CAP_SETGID:
test at DebianUnstable:~$ sudo setpriv --bounding-set -all start-stop-daemon --chuid test --start --exec /usr/bin/whoami
start-stop-daemon: unable to set gid to 1000 (Operation not permitted)
> But IIRC you can just tell s-s-d which command to start,
> which can then be different from the executable name to
> test for for matching. That’d probably be a better point
> to inject setpriv into.
But reversing the order of s-s-d and setpriv is no better:
test at DebianUnstable:~$ sudo start-stop-daemon --chuid test --start --exec /usr/bin/setpriv -- --bounding-set -all whoami
setpriv: apply bounding set: Operation not permitted
So, I think ensuring that unit-translator keeps CAP_SETGID and CAP_SETUID if
s-s-d --chuid will be used should suffice.
test at DebianUnstable:~$ sudo setpriv --bounding-set -all,+setuid,+setgid start-stop-daemon --chuid test --start --exec /usr/bin/whoami
test
Am I missing any other capabilities s-s-d requires?
Mark
More information about the Debian-init-diversity
mailing list