[
https://issues.apache.org/jira/browse/STORM-2348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855712#comment-15855712
]
Tibor Kiss edited comment on STORM-2348 at 2/7/17 10:54 AM:
------------------------------------------------------------
Created a
[PoC|https://github.com/tibkiss/storm/commit/c6d57c0d389b57a7d77180f444ea52a7c1a7b5b8]
of this approach.
Unfortunately theory and practice collides:
{code}
tiborkiss@eiger ~/w/s/s/t/n/worker-launcher ❯❯❯ ls -l worker-launcher
-rwxrwx---. 1 root tiborkiss 58442 Feb 7 05:15 worker-launcher
tiborkiss@eiger ~/w/s/s/t/n/worker-launcher ❯❯❯ getcap worker-launcher
worker-launcher = cap_setuid+ep
tiborkiss@eiger ~/w/s/s/t/n/worker-launcher ❯❯❯ ./worker-launcher --checksetup
Error resolving the canonical name for the executable : Permission
denied!Invalid permissions on worker-launcher binary.
tiborkiss@eiger ~/w/s/s/t/n/worker-launcher ❯❯❯ echo $?
⏎
22
tiborkiss@eiger ~/w/s/s/t/n/worker-launcher ❯❯❯ stat worker-launcher
File: ‘worker-launcher’
Size: 58442 Blocks: 128 IO Block: 4096 regular file
Device: fd02h/64770d Inode: 401957 Links: 1
Access: (0770/-rwxrwx---) Uid: ( 0/ root) Gid: ( 1000/tiborkiss)
Context: unconfined_u:object_r:user_home_t:s0
Access: 2017-02-07 05:15:34.464389191 -0500
Modify: 2017-02-07 05:15:34.471389045 -0500
Change: 2017-02-07 05:25:42.816629877 -0500
Birth: -
tiborkiss@eiger ~/w/s/s/t/n/worker-launcher ❯❯❯ realpath worker-launcher
/home/tiborkiss/devel/workspace/storm/storm-core/target/native/worker-launcher/worker-launcher
{code}
The above sample shows that {{setuid()}} was successful, but {{realpath()}} on
the worker-launcher fails.
was (Author: [email protected]):
Created a
[PoC|https://github.com/tibkiss/storm/commit/c6d57c0d389b57a7d77180f444ea52a7c1a7b5b8]
of this approach.
Unfortunately theory and practice collides:
{code}
tiborkiss@eiger ~/w/s/s/t/n/worker-launcher ❯❯❯ ls -l worker-launcher
-rwxrwx---. 1 root tiborkiss 58442 Feb 7 05:15 worker-launcher
tiborkiss@eiger ~/w/s/s/t/n/worker-launcher ❯❯❯ getcap worker-launcher
worker-launcher = cap_setuid+ep
tiborkiss@eiger ~/w/s/s/t/n/worker-launcher ❯❯❯ ./worker-launcher --checksetup
Error resolving the canonical name for the executable : Permission
denied!Invalid permissions on worker-launcher binary.
tiborkiss@eiger ~/w/s/s/t/n/worker-launcher ❯❯❯ echo $?
⏎
22
{code}
The above sample shows that {{setuid()}} was successful, but {{realpath()}} on
the worker-launcher fails.
> setuid(0) & setgid call results are not checked in worker-launcher
> ------------------------------------------------------------------
>
> Key: STORM-2348
> URL: https://issues.apache.org/jira/browse/STORM-2348
> Project: Apache Storm
> Issue Type: Improvement
> Components: storm-core
> Reporter: Tibor Kiss
> Assignee: Tibor Kiss
>
> worker-launcher elevates it's privileges using {{setuid(0)}} and
> {{setgid(group_info->gr_gid)}} calls:
> https://github.com/apache/storm/blob/master/storm-core/src/native/worker-launcher/impl/main.c#L116-L119
> The current implementation does not validate the return value of those calls,
> rather it checks' the privileges (setuid + root ownership) of the binary
> through {{check_executor_binary()}}
> This approach works correctly, but it could be improved:
> If we'd check the return values of setuid(0) & setgid() and drop the binary
> check it would be possible to gain elevated privileges using CAP_SETUID &
> CAP_SETGID.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
