Re: [DNG] why is polkit needed? dropin replacement
On 2020-02-23 22:10, marc wrote: > If I understand you correctly, you propose a simple gtk > program that is setuid (so that it can read /etc/shadow, and > grant root privileges). The problem is that there is no such > thing as a simple gtk program. This is not comment limited to > gtk programs - most graphical toolkits and libraries present > a pretty large attack surface - they contain large protocol > interpreters and font rendering engines, flaws in which could > then be exploited to give root access without any password > whatsoever. The author of XScreenSaver, Jamie Zawinski, has some FAQ [1] entries and a separate page [2] explaining why he never used GTK or other graphical toolkits for XScreenSaver development. Perhaps some of those ideas may be relevant to this gkexec project? [1] https://www.jwz.org/xscreensaver/faq.html#toolkits [2] https://www.jwz.org/xscreensaver/toolkits.html —Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi, On 23/2/20 23:10, marc wrote: You should never send an unencrypted password over a shell or pipe. So in the case of the former (using the shell, via echo or an environment variable) you are correct. Those show up in process listings... I am not so sure about the second part, the bit about not passing confidential information down a pipe. I am not aware of a third party being able to see the content of a pipe. If you are worried about the invoking user seeing the password, bear in mind that on sane distributions a normal user can strace the xterm in which one invokes su or sudo. This is not a recommendation to disable strace, it is a strong recommendation to run your webbrowser under a different uid - actually I am surprised that distributions dont have a wrapper which runs a browser as a different uid but with a shared gid... i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 buttons (cancel, ok) that way it will be the gtk backend to care about X11 or wayland (i suppose...): ... Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. If I understand you correctly, you propose a simple gtk program that is setuid (so that it can read /etc/shadow, and grant root privileges). The problem is that there is no such thing as a simple gtk program. This is not comment limited to gtk programs - most graphical toolkits and libraries present a pretty large attack surface - they contain large protocol interpreters and font rendering engines, flaws in which could then be exploited to give root access without any password whatsoever. So invoking su or sudo via a pipe is probably the way to go after all. Do note that sudo (or su) might not accept input from a plain pipe - you might have to allocate a pseudotty via /dev/pts/ptmx, then fork, exec su or sudo in the child and in the parent write the password down the filedescriptor... regards marc Thanks for your suggestions, Mark. My first draft is a replacement for ssh-askpass. Here you are the sources: gnuinos.org/gkexec/gkexec.tar.bz2 The usage is similar to ssh-askpass, that is: $ SUDO_ASKPASS=./gkexec sudo -A synaptic I'm aware about several system variables playing a role in this issue, and i'm lookint at the code of lxqt-sudo. See the README file. Cheers, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi Tito, On 23/2/20 17:02, Tito via Dng wrote: Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. I'll answer to this question in more detail: the requeriment of suid privilegies implies an additional (non GUI) binary due to the fact that the usage of any GTK suid binary is impossible. Read here: http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html Cheers, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 2/23/20 11:10 PM, marc wrote: You should never send an unencrypted password over a shell or pipe. So in the case of the former (using the shell, via echo or an environment variable) you are correct. Those show up in process listings... I am not so sure about the second part, the bit about not passing confidential information down a pipe. I am not aware of a third party being able to see the content of a pipe. If you are worried about the invoking user seeing the password, bear in mind that on sane distributions a normal user can strace the xterm in which one invokes su or sudo. This is not a recommendation to disable strace, it is a strong recommendation to run your webbrowser under a different uid - actually I am surprised that distributions dont have a wrapper which runs a browser as a different uid but with a shared gid... Hi, I intended | as a pipe, so doing echo something |. i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 buttons (cancel, ok) that way it will be the gtk backend to care about X11 or wayland (i suppose...): ... Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. If I understand you correctly, you propose a simple gtk program that is setuid (so that it can read /etc/shadow, and grant root privileges). The problem is that there is no such thing as a simple gtk program. This is not comment limited to gtk programs - most graphical toolkits and libraries present a pretty large attack surface - they contain large protocol interpreters and font rendering engines, flaws in which could then be exploited to give root access without any password whatsoever. Yes, but after having written part of it, it looked to easy to be true and I started wondering why nobody did it that way already and so I figured out the reason myself. I fully agree. So invoking su or sudo via a pipe is probably the way to go after all. Do note that sudo (or su) might not accept input from a plain pipe - you might have to allocate a pseudotty via /dev/pts/ptmx, then fork, exec su or sudo in the child and in the parent write the password down the filedescriptor... regards marc Ciao, Tito ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
> >>You should never send an unencrypted password over a shell or pipe. So in the case of the former (using the shell, via echo or an environment variable) you are correct. Those show up in process listings... I am not so sure about the second part, the bit about not passing confidential information down a pipe. I am not aware of a third party being able to see the content of a pipe. If you are worried about the invoking user seeing the password, bear in mind that on sane distributions a normal user can strace the xterm in which one invokes su or sudo. This is not a recommendation to disable strace, it is a strong recommendation to run your webbrowser under a different uid - actually I am surprised that distributions dont have a wrapper which runs a browser as a different uid but with a shared gid... > i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 > buttons (cancel, ok) > that way it will be the gtk backend to care about X11 or wayland (i > suppose...): ... > Why use 2 binaries rather than one, more programs, more code, more > communication in between them equals to more attack surface. > I would stay with just one suid binary, more so if you want to go the su-only > route. If I understand you correctly, you propose a simple gtk program that is setuid (so that it can read /etc/shadow, and grant root privileges). The problem is that there is no such thing as a simple gtk program. This is not comment limited to gtk programs - most graphical toolkits and libraries present a pretty large attack surface - they contain large protocol interpreters and font rendering engines, flaws in which could then be exploited to give root access without any password whatsoever. So invoking su or sudo via a pipe is probably the way to go after all. Do note that sudo (or su) might not accept input from a plain pipe - you might have to allocate a pseudotty via /dev/pts/ptmx, then fork, exec su or sudo in the child and in the parent write the password down the filedescriptor... regards marc ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi again Tito,
On 23/2/20 17:02, Tito via Dng wrote:
On 2/23/20 4:22 PM, Aitor wrote:
Hi Tito,
On 23/2/20 14:15, Tito via Dng wrote:
On 2/23/20 1:54 PM, Aitor wrote:
Hi,
On 23/2/20 13:17, Aitor wrote:
The binary won't be suid, but rather it'll receive the root
password through the mentioned unix socket using internally (sudo
| su) afterwards.
As simple as that:
system( "echo | sudo -S ");
I tested my first draft and it works. Do it simple, isn't it?
Aitor.
Hi,
this looks dangerous, isn't the password readable unencrypted in
e.g. /proc?
You should never send an unencrypted password over a shell or pipe.
Usually the password as soon as it is inputted is encrypted with the
correct cipher
for the system and the buffer is zeroed, then the encrypted password
is compared
to what is in /etc/shadow or /etc/password or handled in the way is
deemed fit.
I suggest you to handle the passwords and the command and args to be
run in your program
This way:
1) password stays unencrypted for the shortest time
2) you have control and you can vet the env, program and args that
are run.
Hope this helps.
Ciao,
Tito
Thanks for the info, i know... Some people ripped me to shreds in the
IRC channel some years ago, when i started working on the backend of
simple-netaid.
This is only for testing the first part of the project. I have two
ideas for the second part:
- To have a look at the code of ssh-askpass, suggested by Didier
Krin, whose dialog frame is useful only for X11 and not for wayland.
Hi,
i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible)
+ 2 buttons (cancel, ok)
that way it will be the gtk backend to care about X11 or wayland (i
suppose...):
"put into “password mode” using gtk_entry_set_visibility(). In this
mode, entered text is displayed using
a “invisible” character. By default, GTK+ picks the best invisible
character that is available in the current
font, but it can be changed with gtk_entry_set_invisible_char(). Since
2.16, GTK+ displays a warning when Caps
Lock or input methods might interfere with entering text in a password
entry.
The warning can be turned off with the “caps-lock-warning” property."
"Note that you probably want to set “input-purpose” to
GTK_INPUT_PURPOSE_PASSWORD or GTK_INPUT_PURPOSE_PIN
to inform input methods about the purpose of this entry, in addition
to setting visibility to FALSE."
On hitting Enter or the OK button this returns a gchar string (typdef
of char)
that could be fed to:
encrypted = pw_encrypt(plaintext, /*salt:*/ pw_pass, 1);
r = (strcmp(encrypted, pw_pass) == 0);
free(encrypted);
nuke_str(plaintext);
return r;
To see a good example take a look at: busybox/libbb/correct_password.c
This is widely used code and most pitfalls are already handled.
Thanks, i'll have a look at the code. In any case, something like the
code below would be enough:
setenv("SUDO_ASKPASS", password, 1);
printf("%s\n", password);
The password needs to be printed, otherwise it won't work.
Then, sudo reads the value of the system variable via:
askpass = getenv_unhooked("SUDO_ASKPASS");
and inmediately sudo uses the "unsetenv" fuction in ordeer to reset the
value. This is exactly how ssh-askpass works.
All that done, the application can be used in the same way suggested by
Didier, replacing ssh-askpass by our new application.
- To emulate keypress events in C code afterwards, according to the
received password.
Looks as overcomplex to me but I'm not a guru
Yes, i think so.
On the other hand, what do you think about the suid receiving the
password through the socket, staying the file descriptor for the
shortest time? I assume it encrypted.
Why use 2 binaries rather than one, more programs, more code, more
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the
su-only route.
After having taken a look at the sudo source code I think it is by far
more complex than simple su, I personally
would avoid it at all, but this could be added later after having got
right the simpler su-only case.
I will see if I'm able to cobble toghether a working example code just
for the fun and to refresh
my C coding skills.
I started using two separate binaries due to the suid permissions.
Bypassing it, then the use of two binaries has no sense.
Just my 2 cents.
Ciao,
Tito
Thanks a lot!
Aitor.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 2/23/20 4:22 PM, Aitor wrote: Hi Tito, On 23/2/20 14:15, Tito via Dng wrote: On 2/23/20 1:54 PM, Aitor wrote: Hi, On 23/2/20 13:17, Aitor wrote: The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards. As simple as that: system( "echo | sudo -S "); I tested my first draft and it works. Do it simple, isn't it? Aitor. Hi, this looks dangerous, isn't the password readable unencrypted in e.g. /proc? You should never send an unencrypted password over a shell or pipe. Usually the password as soon as it is inputted is encrypted with the correct cipher for the system and the buffer is zeroed, then the encrypted password is compared to what is in /etc/shadow or /etc/password or handled in the way is deemed fit. I suggest you to handle the passwords and the command and args to be run in your program This way: 1) password stays unencrypted for the shortest time 2) you have control and you can vet the env, program and args that are run. Hope this helps. Ciao, Tito Thanks for the info, i know... Some people ripped me to shreds in the IRC channel some years ago, when i started working on the backend of simple-netaid. This is only for testing the first part of the project. I have two ideas for the second part: - To have a look at the code of ssh-askpass, suggested by Didier Krin, whose dialog frame is useful only for X11 and not for wayland. Hi, i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 buttons (cancel, ok) that way it will be the gtk backend to care about X11 or wayland (i suppose...): "put into “password mode” using gtk_entry_set_visibility(). In this mode, entered text is displayed using a “invisible” character. By default, GTK+ picks the best invisible character that is available in the current font, but it can be changed with gtk_entry_set_invisible_char(). Since 2.16, GTK+ displays a warning when Caps Lock or input methods might interfere with entering text in a password entry. The warning can be turned off with the “caps-lock-warning” property." "Note that you probably want to set “input-purpose” to GTK_INPUT_PURPOSE_PASSWORD or GTK_INPUT_PURPOSE_PIN to inform input methods about the purpose of this entry, in addition to setting visibility to FALSE." On hitting Enter or the OK button this returns a gchar string (typdef of char) that could be fed to: encrypted = pw_encrypt(plaintext, /*salt:*/ pw_pass, 1); r = (strcmp(encrypted, pw_pass) == 0); free(encrypted); nuke_str(plaintext); return r; To see a good example take a look at: busybox/libbb/correct_password.c This is widely used code and most pitfalls are already handled. - To emulate keypress events in C code afterwards, according to the received password. Looks as overcomplex to me but I'm not a guru On the other hand, what do you think about the suid receiving the password through the socket, staying the file descriptor for the shortest time? I assume it encrypted. Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. After having taken a look at the sudo source code I think it is by far more complex than simple su, I personally would avoid it at all, but this could be added later after having got right the simpler su-only case. I will see if I'm able to cobble toghether a working example code just for the fun and to refresh my C coding skills. Just my 2 cents. Ciao, Tito Thanks in advance, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 23/2/20 16:22, Aitor wrote: - To have a look at the code of ssh-askpass, suggested by Didier Krin, whose dialog frame is useful only for X11 and not for wayland. Kryn :) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi Tito, On 23/2/20 14:15, Tito via Dng wrote: On 2/23/20 1:54 PM, Aitor wrote: Hi, On 23/2/20 13:17, Aitor wrote: The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards. As simple as that: system( "echo | sudo -S "); I tested my first draft and it works. Do it simple, isn't it? Aitor. Hi, this looks dangerous, isn't the password readable unencrypted in e.g. /proc? You should never send an unencrypted password over a shell or pipe. Usually the password as soon as it is inputted is encrypted with the correct cipher for the system and the buffer is zeroed, then the encrypted password is compared to what is in /etc/shadow or /etc/password or handled in the way is deemed fit. I suggest you to handle the passwords and the command and args to be run in your program This way: 1) password stays unencrypted for the shortest time 2) you have control and you can vet the env, program and args that are run. Hope this helps. Ciao, Tito Thanks for the info, i know... Some people ripped me to shreds in the IRC channel some years ago, when i started working on the backend of simple-netaid. This is only for testing the first part of the project. I have two ideas for the second part: - To have a look at the code of ssh-askpass, suggested by Didier Krin, whose dialog frame is useful only for X11 and not for wayland. - To emulate keypress events in C code afterwards, according to the received password. On the other hand, what do you think about the suid receiving the password through the socket, staying the file descriptor for the shortest time? I assume it encrypted. Thanks in advance, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 2/23/20 1:54 PM, Aitor wrote: Hi, On 23/2/20 13:17, Aitor wrote: The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards. As simple as that: system( "echo | sudo -S "); I tested my first draft and it works. Do it simple, isn't it? Aitor. Hi, this looks dangerous, isn't the password readable unencrypted in e.g. /proc? You should never send an unencrypted password over a shell or pipe. Usually the password as soon as it is inputted is encrypted with the correct cipher for the system and the buffer is zeroed, then the encrypted password is compared to what is in /etc/shadow or /etc/password or handled in the way is deemed fit. I suggest you to handle the passwords and the command and args to be run in your program This way: 1) password stays unencrypted for the shortest time 2) you have control and you can vet the env, program and args that are run. Hope this helps. Ciao, Tito ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi, On 23/2/20 13:17, Aitor wrote: The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards. As simple as that: system( "echo | sudo -S "); I tested my first draft and it works. Do it simple, isn't it? Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi Tito, On 23/2/20 13:19, Tito via Dng wrote: Hi, please don't restrict it, make it a universally usable tool. Ok :) Why using a socket maybe KISS? For inspiration you can take a look at: https://git.busybox.net/busybox/tree/loginutils/su.c this is tested and widely used code. Thanks for the info. I'll give it a try. If you will use C as programming language and you any need help drop a line. Ciao, Tito BTW: it would be nice if this tool could be compiled with gtk2 or gtk3 this would allow more widespread adoption The first code (for testing purposes) will be taken from the frontend of simple-netaid -which is developed in gtkmm/C++-, but i can reverse it to Gtk/C over time. Cheers, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi, On 23/2/20 13:23, Aitor wrote: Hi Tom, On 23/2/20 13:21, tom wrote: What happens when a password isn't need, such as when a sudo policy is set? Are you referring to the sudo | su duality? Aitor. If so, the application might check the sudo permissions of the current user, reading the /etc/groups and /etc/sudoers files. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi Tom, On 23/2/20 13:21, tom wrote: What happens when a password isn't need, such as when a sudo policy is set? Are you referring to the sudo | su duality? Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On Sun, 23 Feb 2020 13:17:21 +0100 Aitor wrote: > Hi, > > On 23/2/20 12:34, Aitor wrote: > > > > Hi Steve, > > > > On 21/2/20 21:57, Steve Litt wrote: > >> Will it work even if I'm not using lxqt? Does it stand alone? > >> > >> SteveT > > I've just started developing a replacement for gksu in gtk2 > > following the same method used in simple-netaid, > > that is: a suid binary receiving the password through an unix > > socket, and the name of the application > > to be run as an argument in the command line. Since i'm not that > > expert on security stuff, maybe i'll > > restrict this tool only to a few graphical applications like > > synaptic, bleachbit, gparted, thunar, pcmanfm... > > Any suggestion for the name of this alternative? What about gkexec? > > > > Cheers, > > > > Aitor. > > > I rectify: > > The binary won't be suid, but rather it'll receive the root password > through the mentioned unix socket using internally (sudo | su) > afterwards. > > Aitor. > > What happens when a password isn't need, such as when a sudo policy is set? -- ___ / I smell like a wet reducing clinic on \ \ Columbus Day! / --- \ \ /\ /\ //\\_//\\ \_ _// / / * * \/^^^] \_\O/_/[ ] / \_[ / \ \_ / / [ [ / \/ _/ _[ [ \ /_/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 2/23/20 12:34 PM, Aitor wrote: Hi Steve, On 21/2/20 21:57, Steve Litt wrote: Will it work even if I'm not using lxqt? Does it stand alone? SteveT I've just started developing a replacement for gksu in gtk2 following the same method used in simple-netaid, that is: a suid binary receiving the password through an unix socket, and the name of the application to be run as an argument in the command line. Since i'm not that expert on security stuff, maybe i'll restrict this tool only to a few graphical applications like synaptic, bleachbit, gparted, thunar, pcmanfm... Any suggestion for the name of this alternative? What about gkexec? Cheers, Aitor. Hi, please don't restrict it, make it a universally usable tool. Why using a socket maybe KISS? For inspiration you can take a look at: https://git.busybox.net/busybox/tree/loginutils/su.c this is tested and widely used code. If you will use C as programming language and you any need help drop a line. Ciao, Tito BTW: it would be nice if this tool could be compiled with gtk2 or gtk3 this would allow more widespread adoption. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi, On 23/2/20 12:34, Aitor wrote: Hi Steve, On 21/2/20 21:57, Steve Litt wrote: Will it work even if I'm not using lxqt? Does it stand alone? SteveT I've just started developing a replacement for gksu in gtk2 following the same method used in simple-netaid, that is: a suid binary receiving the password through an unix socket, and the name of the application to be run as an argument in the command line. Since i'm not that expert on security stuff, maybe i'll restrict this tool only to a few graphical applications like synaptic, bleachbit, gparted, thunar, pcmanfm... Any suggestion for the name of this alternative? What about gkexec? Cheers, Aitor. I rectify: The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards. Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi Steve, On 21/2/20 21:57, Steve Litt wrote: Will it work even if I'm not using lxqt? Does it stand alone? SteveT I've just started developing a replacement for gksu in gtk2 following the same method used in simple-netaid, that is: a suid binary receiving the password through an unix socket, and the name of the application to be run as an argument in the command line. Since i'm not that expert on security stuff, maybe i'll restrict this tool only to a few graphical applications like synaptic, bleachbit, gparted, thunar, pcmanfm... Any suggestion for the name of this alternative? What about gkexec? Cheers, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
