Maintain System Creation Date (GRX)
John Esak
john at valar.com
Fri Mar 26 20:47:58 PDT 2010
Oh sorry, didn't mean to send that privately.
But (top posted as usual) there is a strangeness when using SYSTEM in
Linux.. Only because I'm used to SCO (okay, yuck accepted). Don't you
remember the endless hours we spent in the FP Room sorting out the thing
Dennis Malen originally found wouldn't work for something similar when he
was constructing a Lightmail line for the SYSTEM.. .I do. Ugh. We went
around for not hours but days.
The long and short of it disregarding PFEUID and something like PFFIXROOT or
PFROOTFIX.. I forget. Anyway, disregarding them. Based on the actual
Linux, but pretty much 99% of the time. If you are a regular user and go
down to the SYSTEM you are ID stays that user since filePro's rclerk/rreport
are SETUID executables. If you are root and go down to the SYSTEM you are
converted to filePro... That bugs me. I'm already working as root, why
should Linux force me to be some other entity? But it does.
That's all, no big deal except it creates havoc when creating files and then
wanting to do something in them or remove them, etc. Really about the best
fix is something I think Bill Randall told Jim Asman a while back... Just
set umask to the desired mod and that gives you a little more help.
My gripe is that if you are already executing the program as root and it is
SETUID... And that program forks a shell.. You get it as filepro... Don't
you see that as stupid?
John
> -----Original Message-----
> From: Fairlight [mailto:fairlite at fairlite.com]
> Sent: Friday, March 26, 2010 11:02 PM
> To: John Esak
> Subject: Re: Maintain System Creation Date (GRX)
>
> Confusious (John Esak) say:
> > Ah, that's pretty cool. I seem to remember vm ware could do
> that stuff.
>
> Yeah, VMWare is basically a commercial alternative to
> VirtualBox with a few
> extra bells and whistles.
>
> > It's funny, you would think that exact thing would be on
> the "this is too
> > dangerous for mere mortals since it is a HUGE, HUMONGOUS
> security leak"
> > thing. I mean you could do anything with invoices,
> timestamped the way you
> > want, anything if you can set the system time in a script
> environment and
> > not affect anything else.
>
> I suppose it could be construed as a security leak.
> Although, to do a VM,
> you need physical (or RDP) access to the machine to start and
> set it up and
> do an install. Then you can -still- restrict access to the
> VM itself like
> any other *nix machine, via accounts. And shared folder access in
> VirtualBox requires 1) building and installing the kernel
> modules, and
> 2) setting up the shared folders, which again must be done at
> the host OS
> level...so again either physical or RDP access.
>
> So in reality, it's no more a security risk than any normal
> *nix box. In
> fact, less so, as if it's cracked, it doesn't affect the host
> OS unless you
> set things up with read/write shared folders, etc. That's
> why I have my
> OpenVPN inside a VM, rather than running as a Windows service
> itself. It's
> kind of a nice sandbox environment, really.
>
> > This would seem contrary to the normal "linux idiocy" of not letting
> > someone who is *already* root not escape to the system
> using filePro's
> > SYSTEM command - but rather forcing them to become
> "filePro" since that
> > is who owns the filePro SUID program (either c8clerk or
> c8rreport). This
> > always seemed so counter intutive to the way the little
> shits think who
> > program the various linux flavors.
>
> I don't follow. There's no case of which I'm aware that you
> can't get root
> access via the SYSTEM command in filePro. The UID change is
> bash's fault;
> if you're anyone other than filepro when you invoke an SUID
> program, then
> it drops privs when the intervening bash is invoked by
> system() at the C
> level. If you were 'john' to start, you'll be 'john'. If
> you were root,
> it should drop you to root--which would be ironic, since you -gain-
> privileges by bash dropping the EUID. :)
>
> > I mean here in VM you can change the system time at your
> need, and that
> > is surely a security problem of some kind, where what I
> just realted,
> > isn't. My feeling is ... If you are root already when you
> call rclerk
> > and execute a SYSTEM command.. .why in the hell force this
> ID change.
> > It's not counter intuitive, it's stupid.
>
> Well it's sounding like what you're saying runs contrary to
> what I just
> said above. so I'm curious...if you do SYSTEM "id" on a
> linux box, what
> comes back if you start as a normal (non-zero UID) user, and
> what comes
> back if you started off as root? In either event, bash
> should just drop
> the EUID for filepro, and leave you as whatever your real UID is.
>
> > Oh God, did I just open up a thread about Linux here in the
> place I just
> > groused somebody else out for thread creaping away from
> filePro... :-(
> > Okay, I take it all back.
>
> Actually, you sent this privately only to me. :)
>
> mark->
>
More information about the Filepro-list
mailing list