Go to content Go to navigation Go to search

More sudo goodness

2009-06-10 21:39 -

I’m working on a few projects at Google that require adding things to the sudoers file to permit a role user a very limited set of privileged commands on a very limited set of machines.

Unfortunately, the current way of handling this in anything but the very latest Debian Sid/Ubuntu Karmic is rather poor – one needs to add line by line to /etc/sudoers, removing any outdated entries, and then check the integrity using visudo.

Wouldn’t it be nice if there were a sudoers.d equivalent? Well, there is the #include directive in sudo 1.7.0, but none of the stable shipping debian-based distributions have anything newer than sudo 1.6.9.

Fortunately, Sid and Karmic now have sudo 1.7.0, meaning that it’s now sane to backport their sudo packages to the LTS editions of Ubuntu in use at Google. I’ve done this using prevu for Ubuntu dapper and hardy and verified that the packaging works without modification – just rebuild and deploy.

The bug is located at https://bugs.launchpad.net/hardy-backports/+bug/384100 should some kind souls wish to try the backport and report back on the results :) – instructions on using prevu are at https://wiki.ubuntu.com/Prevu should one not wish to trust me with building sudo binaries ;).

Words?

sudo 1.6.9 interactions with PAM and libpam_afs_session

2007-11-22 14:01 -

For those using libpam_afs_session or any other PAM session modules on Debian Lenny or Sid:

sudo 1.6.9p6-1, which migrated into testing on 2007-11-04, introduced a change in which pam_open_session and pam_close_session are now called before and after command execution.

Previously, in the 1.6.8 branch of sudo, these calls were not made, and therefore there were no references to session modules in /etc/pam.d/sudo. The new calls resulted in the session entries being read from /etc/pam.d/other (the default PAM stack file); in Debian, this defaults to reading /etc/pam.d/common-session, etc. However, the Debian way is to explicitly @include PAM common-* files in files instead of just letting things fall through; it’s a bug that sudo now calls the session stack but doesn’t mention it in its PAM file (one reason it was so difficult for me to track this down).

Since we were invoking pam_afs_session.so and pam_unix.so in common-session, a new PAG was being created on every sudo, and the Unix logging of sessions was also being triggered unnecessarily. The creation of new PAG on sudo meant that we couldn’t read files in our own home directories after sudoing, so trying a dpkg -i ~/package_1.0.0-1_i386.deb, running nano (due to accesses to ~/.nano_history), etc. were all triggering all sort of nasty warnings.

For us, the fix was to add the entries from common-session to /etc/pam.d/sudo except for the pam_afs_session.so entry, causing the default common-session entries to not be invoked since there are now session entries in /etc/pam.d/sudo. However, I don’t see an easy default way for Debian to do things – using pam_permit might be a sensible default (and wouldn’t cause any /new/ behavior compared to 1.6.8), but the common-* defaults exist for a reason…

I’ve filed Debian Bug #452457 about this issue.

Words? [1]

AFS, Apache, and pseudo-SuExec

2007-09-22 02:45 -

It’s been an exceptionally busy week for me on the UGCS front, despite my being on vacation and traveling.

On Monday morning, we migrated everyone’s mail over to our nice new shiny 8-core Xeon server (hermes) and forced everyone into using our new Kerberos infrastructure to authenticate against IMAP and POP. There have been quite a large number of problems we discovered after the migration which we didn’t quite catch during initial testing, but as of Thursday we had everyone’s legacy mail converted and mail delivery was finally stable. I’ll blog separately about that when I have working configs to post should someone attempt to do an effort similar to UGCS in the future (I’m currently debugging an issue with mail forwarding at the moment). In short, we’ve set up delivery to maildirs on AFS, postfix, dovecot, GSSAPI auth (Kerberos), LDAP mail delivery settings and nss info, mailman, amavisd, clamd, and spamassassin all happily playing with each other now.

We also ended up moving over web services to the new ‘service’ machine (poseidon) on Thursday because the old webservers had finally had it and were timing out and refusing to function.

Inspired by this post by Todd Lewis from the University of North Carolina, but lacking his source code, I endeavored to create an equivalent for SuEXEC for our users. The problem is that Apache does not run with the Kerberos tokens of users, so it cannot execute sensitive read or write operations on user data, only read the data in ~/public/www. Many of our users rely on using CGI to manipulate flat file databases, etc., so this was somewhat of a priority to get them some level of control over their data using CGI without opening them up to cross-user scripting vulnerabilities from malicious users.

http://www.ugcs.caltech.edu/~elizabeth/cgi-wrapper is the result of my efforts – it’s meant to be run setuid as root and executable only by Apache when Apache matches “ScriptAliasMatch ^/~(.+)/cgi-bin/(.*) /usr/local/sbin/cgi-wrapper”. $10 security bug bounty, payable via Paypal to the first person who finds a security hole in it. The script was largely written according to Todd’s spec, and essentially pulls the tokens for a user from a root-only file, sets environment variables so the wrapped script won’t notice the aliasing, and then changes uid/gid to the user and creates a new PAG context with the tokens for that user’s cgi subuser. The cgi subuser can be assigned very limited permissions using AFS acl’s so a vulnerable cgi script can’t wipe out one’s homedir or mail (unless of course given permission to do so).

Now that our webservices are up, I’ve migrated the UGCS development wiki over to poseidon, but it currently requires a Kerberos login to view (sorry, guys). I used mod_auth_krb plus Extension:AutomaticREMOTE_USER to make it work.

All in all, a very productive week on my side project :) – we’re definitely going to make the September 29th switchover date to shut down the old cluster and convert old cluster’s servers into shell machines in the new cluster.

Words? [1]

Referrer log fun

2007-06-04 18:25 -

It’s definitely amusing going over my referrer logs and seeing people searching for “puzzle pirates cheats”, “puzzle pirates hacks”, or “puzzle pirates exploits” visiting my blog. Do you really think that I’d post information how to break into a game I develop on my blog? I certainly think I’d be willing to publish a postmortem of any major problems in the hopes of giving people a better of how Three Rings works on the development side. However, I find it very disappointing how many players want to devalue their own experience and those of other players by seeking out ways to gain an unfair advantage. Puzzle Pirates has only had a few large-scale incidents (Whitefire’s multi-million poe pillage a number of years ago comes to mind), and each time we were able to track down the problem and correct it fairly quickly. We closely monitor the economic state of the game for anomalous activity, receive tips from upstanding players about possible bugs, and have the ability to track all item and currency transactions within the game easily. Other game studios almost certainly have similar degrees of rigor over their respective products. It is not possible to get away with cheating in modern massively multiplayer online games; trying to cheat ruins a good portion of the fun. Don’t even try – chances are that you’ll just lose your account without any gain.

On that note, I’ve been contemplating putting together a number of proposals for a GDC panels regarding customer support systems and anti-cheating mechanisms. But more on that later…

Words? [1]

Mailman-Reencrypt 0.09-prealpha

2007-05-14 09:56 -

I was trying to figure the best way of using a company-owned GPG/PGP key to decrypt inbound confidential communications arriving at a group inbox without giving each user the private key for the company key. The solution had previously been devised by Mr. Bad <mr.bad@pigdog.org> in the form of a Mailman filter named mmreencrypt – however, the script was written in 2000 and Mailman’s APIs have changed in such a manner as to render mmreencrypt incompatible. The idea is to decrypt and immediately re-encrypt to all list recipients’ individual keys.

I’ve devoted some of this past weekend to porting it to work with Mailman 2.1.9; the retitled project is now named Mailman-Reencrypt and is available from http://www.ctyalcove.org/~elizabeth/Reencrypt.py (sig) – it remains under the GPL as a derivative work. I’ve bumped the version number up to 0.09-prealpha from 0.06.

Features:

Bugs:

Words?

An urgent message about Windows security.

2006-01-01 23:58 -

From an e-mail sent out to Dabney and Blacker about 24 hours ago, if you read this blog and haven’t heard it elsewhere.

As you may or may not know, there’s an exploit in the wild that will allow an attacker to take complete control of your user account in Windows if you simply view a webpage containing a specially crafted image file created by the attacker. This includes forums, weblogs, websites, and many other places you may commonly visit, where users can post content – it’s not necessarily limited to underworld sites. Internet Explorer will allow the attack without any notification to you that it is happening, or opportunity to block it, while Firefox will display a notice that the website wants to use “Windows Picture and Fax Viewer” to open a file (which you should say cancel/no to). If such an exploit file gets on your machine, and you have Google Desktop Search, you will get infected even if you never open the file. It’s pretty nasty, and can be used for any number of nefarious purposes, including logging your keystrokes, collecting credit card numbers, using your machine to send spam, installing spyware, etc.

The reason for the sudden urgency is that someone has recklessly published code which will allow anyone to create a new .wmf file with random content that runs commands of the attacker’s choosing, and which is entirely different from any other such .wmf files, rendering it very difficult to catch with antivirus software. This means that the infection rate is likely to skyrocket – already, allegedly, “McAfee announced on the radio [Dec. 30] they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.”

There is no patch from Microsoft available at the present, but there are two steps which will act as a temporary workaround until Microsoft issues a patch. I’ve taken this action on all the Blacker/Dabney lab computers I am responsible for, recommended that the Puzzle Pirates staff take this action, and I recommend that you do the same to your personal computers, as well as avoiding usage of Internet Explorer for the time being:

  1. As an admin user:
    start->run
    regsvr32 -u windir\system32\shimgvw.dll
    (A dialog box will pop up saying that shimgvw.dll has been successfully unregistered)
  2. Download http://handlers.sans.org/tliston/wmffix_hexblog13.exe to your computer. Run it as administrator, and it will prevent the
    vulnerable functions from being called.
  3. Reboot your computer following the preceding two steps.

When an official patch from microsoft is released, you can undo the changes by uninstalling the hotfix from add/remove programs, and doing start-run, regsvr32 windir\system32\shimgvw.dll

Please follow these directions as soon as humanly possible, to prevent your own machine from being compromised, as well as helping stop the spread of the epidemic in general. I personally find it ridiculous that the exploit and vulnerability were announced on December 27th, and Microsoft has still not produced a patch – any exploit triggered without warning by viewing a webpage in Internet Explorer is Really Bad.

With the recent phpBB vulnerabilities as well, I’m worried about a “Perfect Storm” worm situation, in which compromised Windows PC’s compromise phpBB boards and insert malicious .wmf files in the headers/footers, infecting further users, ad nauseum. Granted, this is more sophisticated than most current exploits, which only are confined to reproducing only on either the client or server end, and are placed on the server end by manual cracking techniques. It’s not something I’d put past the black hats, though.

Liz

References:

I’ve written more than a few diaries, and I’ve often been silly or said funny things, but now, I’m being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.
bq. This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice – unregister shimgvw.dll and use the unofficial patch. You need to trust us.

Words? [1]