Default permissions on supervise/ok

supervision - discussion about system services, daemon supervision, init, runlevel management, and tools such as s6 and runit
 help / color / mirror / Atom feed

* Default permissions on supervise/ok
@ 2013-05-20 23:52 eam
  2013-05-21  0:47 ` Charlie Brady
  0 siblings, 1 reply; 6+ messages in thread
From: eam @ 2013-05-20 23:52 UTC (permalink / raw)
  To: supervision

I'd like to allow any user to access supervise/ok, in order to run
`sv stat`, but not to access supervise/control. My understanding is that
this is safe, as supervise/ok is a read-only interface. Is this accurate,
and is this a reasonable idea? Anything I should be warned about? Am I
overlooking anything important?

chmod 755 supervise
chmod 666 supervise/ok

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Default permissions on supervise/ok
  2013-05-20 23:52 Default permissions on supervise/ok eam
@ 2013-05-21  0:47 ` Charlie Brady
  2013-05-21  4:43   ` eam
  0 siblings, 1 reply; 6+ messages in thread
From: Charlie Brady @ 2013-05-21  0:47 UTC (permalink / raw)
  To: eam; +Cc: supervision


On Mon, 20 May 2013, eam@frap.net wrote:

> I'd like to allow any user to access supervise/ok, in order to run
> `sv stat`, but not to access supervise/control. My understanding is that
> this is safe, as supervise/ok is a read-only interface. Is this accurate,
> and is this a reasonable idea? Anything I should be warned about? Am I
> overlooking anything important?
> 
> chmod 755 supervise
> chmod 666 supervise/ok

Why wouldn't you use 644 for supervise/ok? Remember that you have no 
guarantee that Joe User will use 'sv' to access the file.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Default permissions on supervise/ok
  2013-05-21  0:47 ` Charlie Brady
@ 2013-05-21  4:43   ` eam
  2013-05-21  9:58     ` Laurent Bercot
  0 siblings, 1 reply; 6+ messages in thread
From: eam @ 2013-05-21  4:43 UTC (permalink / raw)
  To: Charlie Brady; +Cc: supervision

On Mon, May 20, 2013 at 08:47:37PM -0400, Charlie Brady wrote:
> 
> On Mon, 20 May 2013, eam@frap.net wrote:
> 
> > I'd like to allow any user to access supervise/ok, in order to run
> > `sv stat`, but not to access supervise/control. My understanding is that
> > this is safe, as supervise/ok is a read-only interface. Is this accurate,
> > and is this a reasonable idea? Anything I should be warned about? Am I
> > overlooking anything important?
> > 
> > chmod 755 supervise
> > chmod 666 supervise/ok
> 
> Why wouldn't you use 644 for supervise/ok? Remember that you have no 
> guarantee that Joe User will use 'sv' to access the file.

sv refuses to run if it can't open the fifo as writable. My intent is to
allow any user to inspect the process state, but not influence it.

My understanding is that runsv will never read from the fifo, and will
only use opening it as a test to verify the process exists the other end.
This doesn't seem exploitable as it's a read-only channel. At least, as
far as I can tell.

supervise/status already has 644 perms, which is fine because `sv` opens
it readonly, but the default permission on the parent supervise/ directory
are 700 which prohibits access.

Control of runsv is performed over supervise/control, which I would not
make world or group writable, of course.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Default permissions on supervise/ok
  2013-05-21  4:43   ` eam
@ 2013-05-21  9:58     ` Laurent Bercot
  2013-05-21 15:29       ` eam
  0 siblings, 1 reply; 6+ messages in thread
From: Laurent Bercot @ 2013-05-21  9:58 UTC (permalink / raw)
  To: supervision

> My understanding is that runsv will never read from the fifo, and will
> only use opening it as a test to verify the process exists the other end.
> This doesn't seem exploitable as it's a read-only channel. At least, as
> far as I can tell.

 Here's an exploit:

 If runsv is down, "sv status" will normally return a "runsv not running"
message. But if some user has supervise/ok open for reading, "sv status"
will mistakenly think runsv is running, because it assumes runsv is the
only process able to keep supervise/ok open for reading. So, a user can
deny a service recovery routine from running.

 Don't meddle with supervise/ permissions. If you want to trust a group
of users with service checking/control abilities, make the sv binary
setgid.
 Unfortunately, runit does not separate service checking and service
control abilities at the executable level, so I'm afraid you cannot
achieve what you want here.

 Shameless plug: you could switch s6, which gives you s6-svok and
s6-svstat executables for service checking, separate from the s6-svc
executable for service control. You can make s6-svok and s6-svstat
setgid at your convenience, without endangering the reliability of the
service.

-- 
 Laurent

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Default permissions on supervise/ok
  2013-05-21 15:29       ` eam
@ 2013-05-21 15:10         ` Laurent Bercot
  0 siblings, 0 replies; 6+ messages in thread
From: Laurent Bercot @ 2013-05-21 15:10 UTC (permalink / raw)
  To: supervision

> Hm, interesting. Though 622 permissions would correct this, right?
> Writable, but not readable?

 I think it would work, yes, but I haven't thought too much about it.
Don't quote me on that ^^


> Any concerns about making the directory readable and executable?

 That shouldn't cause any problems.

-- 
 Laurent


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Default permissions on supervise/ok
  2013-05-21  9:58     ` Laurent Bercot
@ 2013-05-21 15:29       ` eam
  2013-05-21 15:10         ` Laurent Bercot
  0 siblings, 1 reply; 6+ messages in thread
From: eam @ 2013-05-21 15:29 UTC (permalink / raw)
  To: supervision

On Tue, May 21, 2013 at 11:58:14AM +0200, Laurent Bercot wrote:
> > My understanding is that runsv will never read from the fifo, and will
> > only use opening it as a test to verify the process exists the other end.
> > This doesn't seem exploitable as it's a read-only channel. At least, as
> > far as I can tell.
> 
>  Here's an exploit:
> 
>  If runsv is down, "sv status" will normally return a "runsv not running"
> message. But if some user has supervise/ok open for reading, "sv status"
> will mistakenly think runsv is running, because it assumes runsv is the
> only process able to keep supervise/ok open for reading. So, a user can
> deny a service recovery routine from running.

Hm, interesting. Though 622 permissions would correct this, right?
Writable, but not readable?

Any concerns about making the directory readable and executable?


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2013-05-21 15:29 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-05-20 23:52 Default permissions on supervise/ok eam
2013-05-21  0:47 ` Charlie Brady
2013-05-21  4:43   ` eam
2013-05-21  9:58     ` Laurent Bercot
2013-05-21 15:29       ` eam
2013-05-21 15:10         ` Laurent Bercot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).