Question regarding shell user creation at login time

David Taylor davidt at yadt.co.uk
Thu Apr 1 16:15:36 PST 2004 

On Tue, 30 Mar 2004, ghos wrote:
> 
> You wrote 29 mar 2004, 8:05:55 +0500:
> 
> > Hi,
> 
> > I traced sshd using ktrace and it says:
> > ......
> >   10198 new      CALL  setuid(0)
> >   10198 new      RET   setuid -1 errno 1 Operation not permitted
> >   10198 new      CALL  execve(0x80485d0,0xbfbfed8c,0xbfbfed94)
> >   10198 new      NAMI  "/home/new/new.pl"
> >   10198 new      RET   execve -1 errno 13 Permission denied
> >   10198 new      CALL  exit(0xffffffff)
> > .....
[snip]
> 
> > Directory:
> 
> > public# ls -la ~new
> > total 46
> > drwxr-xr-x  2 root  wheel    512 Mar 29 09:10 .
> > drwxr-xr-x  8 root  wheel    512 Mar 25 15:28 ..
> > -r--r-----  1 root  new      767 Mar 24 17:43 .cshrc
> > -r--r-----  1 root  new      248 Mar 26 12:32 .login
> > -r--r-----  1 root  new      158 Mar 24 17:43 .login_conf
> > -r--r-----  1 root  new      373 Mar 24 17:43 .mail_aliases
> > -r--r-----  1 root  new      331 Mar 24 17:43 .mailrc
> > -r--r-----  1 root  new      797 Mar 24 17:43 .profile
> > -r--r-----  1 root  new      276 Mar 24 17:43 .rhosts
> > -r--r-----  1 root  new      975 Mar 24 17:43 .shrc
> > -rwsr-x---  1 root  new     4651 Mar 26 08:47 new
> > ----------  1 root  wheel     94 Mar 26 08:47 new.c
> > -r-x------  1 root  wheel  15430 Mar 25 15:16 new.pl
> > -rw-r--r--  1 root  wheel     52 Mar 25 16:52 new.sh
> 
> 
> > Can somebody tell me the reason why it is failed?
> 
> > Thanks in advance,
> 
> > Ganbold
> 
> You are not root! You are 'new' in 'new'-group. Try this:
> # chmod g+x ~new/new.pl

But in theory he should be root, since ~new/new is suid root.  Since
setuid(0) is failing, you are presumably correct that he is not, though.

In any case, ~new/new.pl is owned by group wheel, so g+x won't help,
without also changing the group to 'new'.  Also, I think for scripts at
least, read permission is required in addition to execute permission.
(Since you're executing the interpreter, which then reads the script)

I'd suggest checking get[e]uid() in ~new/new, and figuring out what it's
running as (presumably 'new' group 'new'), and why it's not running as
'root', which it should be.  If you give 'new' a "real" shell and log in,
then execute ~new/new, what uid does it run as? If that works, I guess
it's something ssh is doing (or a bug/feature in the kernel tickled by ssh)

As for whether it's a good idea to be trying to set up an automated free
shell server without being able to make the above work with your eyes
closed... well...

Assuming it's just a spare box with some spare network bandwidth to it,
and no important data or access to important hosts on the same network,
you probably don't care what happens to it.  Just remember that _you_ will
be held responsible if people start sending worms/spam/abuse from your
host, or start installing irc bots (which are can be the target of large
denial of service attacks).

Personally, trying to keep a shell service running for paying (some of
them at least, the rest were using stolen credit cards) customers was
enough of a nightmare to encourage me never to give anyone I wouldn't
explicitly trust with root on my box any access at all.

-- 
David Taylor
davidt at yadt.co.uk
"The future just ain't what it used to be"

More information about the freebsd-hackers mailing list