useradd ? help... please!

This clueless newbix could benefit from some help re. user ids / 
group ids etc, creation and modification, and the mechanics of 
file access rights under linux:

I've got 2 different linuces installed on separate (ext3) 
partitions of my main HD. Of course each linux OS can mount & 
'see' the other one's dedicated partitions.

Both have an (unpriviledged) user named 'ninho', /but/ the 
problem is, their respective user numbers, which is what matters 
for file ownership (UIAM), are different - no luck here! Assume 
for simplicity ninho's user numbers are 501  in linux1, resp. 
502 in linux2.

I'd like to add/modify users/groups/permissions... as needed for 
'ninho 501' to be able to (from the linux1 system) browse, 
access and modify files owned by 'ninho 502' /easily/ (& without 
switching to root!)

What would be the simplest way to achieve this, using, maybe, 
some 'useradd' and/or groupadd' magic ? 

Supplementary trivia : 
= there is not yet a user number 502 in linux1 (nor vice versa). 

Thanks in advance for your generous help with (some) theory and 
(hopefully even more) practical advice, including scripts as may 
be needed. 

-- 
Ninho
0
Ninho
1/28/2013 7:20:20 PM
grc.techtalk.linux 3969 articles. 0 followers. Follow

15 Replies
2777 Views

Similar Articles

[PageSpeed] 42

On Mon, 28 Jan 2013 19:20:20 +0000 (UTC)
Ninho <don't.use!@this.is.invalid> wrote:

> I've got 2 different linuces installed on separate (ext3) 
> partitions of my main HD. Of course each linux OS can mount & 
> 'see' the other one's dedicated partitions.

what are they, the two different Linux distributions?

-- 
CK
0
Charles
1/28/2013 8:58:16 PM
On the grc.techtalk.linux
from  exhocforte@gmail.com, Charles Kroeger decided to say:

> what are they, the two different Linux distributions?

Gee, where do they crawl out of?

-- 
Mark Cross @ 01/28/2013 5:28 p.m.

The network is up.

0
Mark
1/28/2013 9:28:59 PM
Charles Kroeger asked:

> what are they, the two different Linux distributions?

My main Linux is good old SuSE 9.1 Pro (Novell's, back in 2004);
the other one is a more modern PCLOS 'MiniME' 2010 version, 
which serves mostly for compiles and to run Virtual Box. Both 
are 2.6.x kernels anyway. 

I was not expecting it mattered for resolving the file access 
question, but here you are. Do you need more detail yet ? Thank 
you for caring

-- 
Ninho

0
Ninho
1/28/2013 10:19:04 PM
On the grc.techtalk.linux
from  don't.use!@this.is.invalid, Ninho decided to say:

> I'd like to add/modify users/groups/permissions... as needed for
> 'ninho 501' to be able to (from the linux1 system) browse,
> access and modify files owned by 'ninho 502' /easily/ (& without
> switching to root!)

Well, Ninho, this will be a bit longish post.

On a quick analysis I see three possible solutions. I'll recommend to use 
solution 3, even if the others may look simpler, they are not in the long 
run.

Problem definition:
You have an user (lets call it Alice) which is number 501 in computer 
(system/OS) A, and user Bob which is number 502 in computer (system/OS) B.

You want to give Alice access to all Bob's files and viceversa.

1.- Create a group with both users in it, and give permissions (as wanted) 
to both Alice and Bob.

You need to create the user Alice in system B, and user Bob in system A:
    Probably the best way to do so is using "sudo kuser" in KDE or
    "System Settings" --> "User Accounts" in Gnome. Those are the gui apps
    to manage user accounts. Or, if you need the CLI way, something like:
      Create the user group (must exist to create the user):
        addgroup bob
      Create the user:
        adduser --group bob --home /home/bob --shell bash -uid 502 bob
      Create a password for bob:
        passwd bob
    Now create the group to contain both Alice and Bob:
        addgroup abcommon
      Add both users to it:
        adduser alice abcommon
        adduser bob abcommon
    Make all files in the directory that needs access:
    (DON'T do this on root '/', or any system dir, you've been warned !!!!)
        cd /home/alice/
        chmod -R g+rw abcommon

2.- Do half the above, systems will not be simetric (equal).
    As Bob has full acess in B to the files, just create Bob in A.
    Do the group thing.

3.- Make Alice and Bob have the same UID.
    As you are going to change the access values for Alice in A, you need
    to log-in to a non-gui console at boot as root.
    If you don't know how to access (CTRL-ALT-F2 for example)
       non-gui consoles, then you will just to pull the plug to force
       a reboot when changes have been done.

    As root in system B: Just do "sudo nano /etc/passwd", find user Bob
    and change it's number to 501, save, exit nano. Now the user Bob has
    the 501 number (as viewed by the system), but no file belongs to 501,
    right?

    Then we find all 502 owned files/dir and change them to 501/(bob):
         find /home/bob -uid 502 -execdir chown bob:bob {} +
    I am assuming there is a group called bob
    Maybe now the reboot command will work (or not?)

    Just reboot the system, so the new passwd file and files permissions
    are loaded and used for the user Bob.

Good Luck

That's all.

-- 
Mark Cross @ 01/28/2013 6:29 p.m.

The network is up.

0
Mark
1/28/2013 10:41:23 PM
Mark Cross wrote:

> Well, Ninho, this will be a bit longish post.

And I'm very grateful for it all,

> On a quick analysis I see three possible solutions. I'll 
recommend to use 
> solution 3, even if the others may look simpler, they are not 
in the long 
> run.

Yes, your number 3 gives by far the best fit. Only I was not 
sure how to go after x hundred files and dirs to ajust their 
ownership bits...

[....] 

> 3.- Make Alice and Bob have the same UID.
>     As you are going to change the access values for Alice in 
A, you need
>     to log-in to a non-gui console at boot as root.
>     If you don't know how to access (CTRL-ALT-F2 for example)
>        non-gui consoles, 

No sweat, I often do,

>     As root in system B: Just do "sudo nano /etc/passwd", find 
user Bob
>     and change it's number to 501, save, exit nano.

Ach, nat�rlich ! It's a long long time since I didn't edit 
/etc/password, the idea was merely escaping,

> Now the user Bob has
>     the 501 number (as viewed by the system), but no file 
belongs to 501,
>     right?
 
>     Then we find all 502 owned files/dir and change them to 
501/(bob):
>          find /home/bob -uid 502 -execdir chown bob:bob {} +

Whereas I would have found a way to change user numbers by 
myself, this above combined command is way over my head, I 
/couldn't/ have synthesised it by myself! 

>     I am assuming there is a group called bob
>     Maybe now the reboot command will work (or not?)
 
>     Just reboot the system, so the new passwd file and files 
permissions
>     are loaded and used for the user Bob.

Thank you, Master Mark! I believe your instructions will get me 
there without pain.
 

-- 
Ninho
0
Ninho
1/28/2013 11:25:48 PM
Mark, if I may ask for a complement...

> Mark Cross wrote:
 
>> 3.- Make Alice and Bob have the same UID.
....
>> Now the user Bob has
>>     the 501 number (as viewed by the system), but no file 
> belongs to 501,
  
>>     Then we find all 502 owned files/dir and change them to 
> 501/(bob):
>>          find /home/bob -uid 502 -execdir chown bob:bob {} +

The plus sign is part of the cryptic command, is it ? 

>>     I am assuming there is a group called bob

Actually, my user is called 'ninho' in both systems and is going to get 
UID 1000 on both sides.  Both are members of a group called 'ninho' 
indeed, also members of 'users' (and more groups).

But, regarding /groups/, here is a doubt : I presume the file system 
manages ownership according to /group numbers/ (GID ?) rather than group 
names. 
I haven't checked yet what actual numerical values groups 'ninho' (or 
'users') have got in each system BUT in case they do not coincide, I 
presume, again, we'll have to ajust this number /too/, don't we ? 

Will you please clear my doubts away, and provide more magical formulae 
as may be needed before I proceed to do the actual mods ?

Again many thanks for your patience

-- 
Ninho 
0
Ninho
1/29/2013 10:13:50 AM
Alright, following Mark's guidance everything completed OK.

First, as root, I edited system2's /etc/passwd & /etc/group to 
my liking. Then, proceeding in single mode (runlevel s) for more 
security - though I don't believe it was compulsory - and using 
Mark's magic 'find' command, I chased and modified all files and 
dirs owned by obsoleted user and/or group ids on all three 
affected disk partitions.

Note I had to add a -R (recursive) option to the 'chmod' in 
order to treat a few reluctant links...

Now I can return to my cross assembly tasks with much added 
comfort. See you later, grc-penguins !

-- 
Ninho
0
Ninho
1/29/2013 5:05:35 PM
On the grc.techtalk.linux
from  don't.use!@this.is.invalid, Ninho decided to say:

> Mark, if I may ask for a complement...
 
>> Mark Cross wrote:
>>> 3.- Make Alice and Bob have the same UID.

>>> Now the user Bob has
>>>     the 501 number (as viewed by the system), but
>>>     no file belongs to 501,

>>> Then we find all 502 owned files/dir and change
>>> them to 501/(bob):
>>>   find /home/bob -uid 502 -execdir chown bob:bob {} +

> The plus sign is part of the cryptic command, is it ?

YES, most definitely it is.

There is the simpler command 
    find /home/bob -uid 502 -exec chown bob '{}' \; 

which executes the chown command for each item on the list and which needs 
quoting and escaping of the {} and the semicolon at the end (already shown 
here and in the find manual --man find-- examples) to control the shell 
parsing of the semicolon.

But the command:
    find /home/bob -uid 502 -exec chown bob {} + 
Which builds a list of files and executes the chown command on the list 
(making it a bit faster) does not have the problem that the shell will parse 
the '+' (plus) as something else, and therefore needs no escaping. If it is 
escaped it will work exactly the same:
    find /home/bob -uid 502 -exec chown bob '{}' \+ 

And finally, the command I gave you:
    find /home/bob -uid 502 -execdir chown bob {} + 
executes the chown command on a list of files per directory, not a long one 
list. That will prevent that the file list becoming too long to be processed 
in only one command.

>>>     I am assuming there is a group called bob

> Actually, my user is called 'ninho' in both systems and is going to get
> UID 1000 on both sides.  Both are members of a group called 'ninho'
> indeed, also members of 'users' (and more groups).

Well, all the problem is with the bob:bob element on the command, which, of 
course, for you it will be ninho:ninho. That construct is user:group as 
default owners of the file/directory.

However, you are correct. The group should be adjusted as well (sorry).
Some points may help you understand the issue of groups in this instance. 
First, there is only one place where a user name (ninho) is converted to a 
number, the /etc/passwd file. Once a pair name<-->uid is changed in that 
file, it is applied to all subsequent operations. All the same concept and 
principle works in the /etc/group file. The connection "group name" <--> gid 
is made in that file. If there is a group named "ninho" with gid 1000 we 
would be ok on both systems. However, if I understand you correctly, there 
is a group ninho with gid=1000 in system A and a group also named ninho but 
with gid=1001 in system B. If that is the case, then yes, both /etc/groups 
and each file/dir need to be adjusted:

    sudo nano /etc/group
    # change ninho gid to 1000 (if no other 1000 exists)
    find /home/ninho -gid 1001 -execdir chgrp ninho {} +

then you could check that no file has 1001 as uid:
    find /home/ninho -uid 1001
and 1001 as gid:
    find /home/ninho -gid 1001

both commands should produce no output if indeed there are no files assigned 
to the old user/group.

> But, regarding /groups/, here is a doubt : I presume the file system
> manages ownership according to /group numbers/ (GID ?) rather than group
> names.

Yes, All files/dirs inodes store a number for user and a number for group. 
The names presented to us users are converted using the tables of 
/etc/passwd and /etc/group as needed.

> I haven't checked yet what actual numerical values groups 'ninho' (or
> 'users') have got in each system BUT in case they do not coincide, I
> presume, again, we'll have to adjust this number /too/, don't we ?

yes, you should, sorry for forgetting that item.
Provided that no other group already exists with that number.
 
> Will you please clear my doubts away, and provide more magical formulae
> as may be needed before I proceed to do the actual mods ?

Sure, if anything else is needed, don't hesitate to ask.
 
> Again many thanks for your patience

No problem at all, Ninho. I am happy to provide some help if I can.

-- 
Mark Cross @ 01/29/2013 1:12 p.m.

The network is up.

0
Mark
1/29/2013 5:16:04 PM
On the grc.techtalk.linux
from  don't.use!@this.is.invalid, Ninho decided to say:

> Alright, following Mark's guidance everything completed OK.
> 
> First, as root, I edited system2's /etc/passwd & /etc/group to
> my liking. Then, proceeding in single mode (runlevel s) for more
> security - though I don't believe it was compulsory - and using
> Mark's magic 'find' command, I chased and modified all files and
> dirs owned by obsoleted user and/or group ids on all three
> affected disk partitions.

Sorry for being late, Ninho :-(
 
> Now I can return to my cross assembly tasks with much added
> comfort. See you later, grc-penguins !

Nice to know you got it sorted out. :-)

-- 
Mark Cross @ 01/29/2013 1:18 p.m.

The network is up.

0
Mark
1/29/2013 5:24:28 PM
On 2013-01-30 4:16 AM, Mark Cross wrote:
[...]
> And finally, the command I gave you:
>      find /home/bob -uid 502 -execdir chown bob {} +
> executes the chown command on a list of files per directory, not a long one
> list. That will prevent that the file list becoming too long to be processed
> in only one command.

-execdir also has the added advantage of executing the commands from the 
directory containing the files, which is more secure than executing from 
the directory where find is invoked.

You do have to watch out for using -execdir from a directory contained 
in the PATH, however.

Regards,
Sam
0
Sam
1/30/2013 5:59:27 AM
On the grc.techtalk.linux
from  sschinke@gmail.com, Sam Schinke decided to say:

> On 2013-01-30 4:16 AM, Mark Cross wrote:
> [...]
>> And finally, the command I gave you:
>>      find /home/bob -uid 502 -execdir chown bob {} +
>> executes the chown command on a list of files per directory, not a long
>> one list. That will prevent that the file list becoming too long to be
>> processed in only one command.
> 
> -execdir also has the added advantage of executing the commands from the
> directory containing the files, which is more secure than executing from
> the directory where find is invoked.

True. That is what the FineManual says.
 
> You do have to watch out for using -execdir from a directory contained
> in the PATH, however.

Why that could be the case? Do you know?

The only reference in the Fine Manual is that there should be no `.' (just a 
dot) entry in the $PATH as it would allow an attacker to execute any command 
he like.

-- 
Mark Cross @ 01/30/2013 12:52 p.m.

The network is up.

0
Mark
1/30/2013 4:57:56 PM
On 2013-01-31 3:57 AM, Mark Cross wrote:
> On the grc.techtalk.linux
> from  sschinke@gmail.com, Sam Schinke decided to say:
>
>> On 2013-01-30 4:16 AM, Mark Cross wrote:
>> [...]
>>> And finally, the command I gave you:
>>>       find /home/bob -uid 502 -execdir chown bob {} +
>>> executes the chown command on a list of files per directory, not a long
>>> one list. That will prevent that the file list becoming too long to be
>>> processed in only one command.
>>
>> -execdir also has the added advantage of executing the commands from the
>> directory containing the files, which is more secure than executing from
>> the directory where find is invoked.
>
> True. That is what the FineManual says.

I mentioned it, but I'm not completely sure why it is dangerous. I guess 
if you ran "-exec {}" without a command, it might interpret the 
filenames as commands? It seems silly to run -exec like that, though, 
unless you *wanted* to execute a list of filenames as commands. Or maybe 
there is a way for maliciously chosen filenames to escape from an 
invocation like "-exec chown bob:bob {} +". I thought there were limits 
on legal characters in filenames, though, for exactly this kind of reason.

>> You do have to watch out for using -execdir from a directory contained
>> in the PATH, however.
>
> Why that could be the case? Do you know?

I assume for the same reason running -exec is dangerous. Of which
I am not entirely clear, FWIW.

> The only reference in the Fine Manual is that there should be no `.' (just a
> dot) entry in the $PATH as it would allow an attacker to execute any command
> he like.

Ah, the man page I was reading had this to say:

<q>
you must ensure that your $PATH environment  variable  does not 
reference the current directory; otherwise, an attacker can run any 
commands they like by leaving an appropriately-named file in a directory 
in which you will run -execdir.
</q>

Whereas some others say this:

<q>
you must ensure that your $PATH environment variable does not reference 
'.'; otherwise, an attacker can run any commands they like by leaving an 
appropriately-named file in a directory in which you will run -execdir. 
The same applies to having entries in $PATH which are empty or which are 
not absolute directory names.
</q>

Assuming they are warning about the same issue, and that the former was 
updated to become the latter, then I have misinterpreted which folder is 
meant by "current directory" in the first example. I assumed 
/random/path/where/find/happens/to/be/run, whereas they almost certainly 
meant ".", which makes it the current directory in the context of where 
find is running commands, not where find is invoked. No doubt this 
misunderstanding is why the wording has been changed.

I was able to find this page that explains why -exec is dangerous, but 
that still hasn't clarified for me why -execdir introduces the 
possibility of arbitrary code execution if $PATH is poorly chosen. That 
seems like a poor tradeoff.

https://www.gnu.org/software/findutils/manual/html_node/find_html/Deleting-Files.html

It seems to be part of the standard manual, just not the man page, if 
that makes sense.

Regards,
Sam
0
Sam
1/31/2013 12:41:17 AM
On the grc.techtalk.linux
from  sschinke@gmail.com, Sam Schinke decided to say:




Let's cut the chase and go to the core of the issue:

> I mentioned it, but I'm not completely sure why it is dangerous. I guess
> if you ran "-exec {}" without a command, it might interpret the
> filenames as commands?

Close but no cigar.

>>> You do have to watch out for using -execdir from a directory contained
>>> in the PATH, however.
>>
>> Why that could be the case? Do you know?
> 
> I assume for the same reason running -exec is dangerous. Of which
> I am not entirely clear, FWIW.

Let's get clear, then:

The main porpoise of the shell is to parse lines of text (strings of
characters) into commands to execute. The parsing of commands is not a
simple task, though:
http://unix.stackexchange.com/questions/60842/what-is-bashs-order-of-operations-when-parsing-a-command

That is just the tip of the iceberg of command line parsing.
For simple command lines, though, the first word/file is the command
to execute and the rest are just options. There are a lot of alternatives,
different structures, aliases, but in its core, there is a command and the
rest are options. The command is then searched in the $PATH environment
variable (which happens to be different for root than an user).

Why is that relevant to the -exec option of the find command? Easy:
The find command will spawn a process to execute in the shell the
command requested. But what command IS requested?

Lets assume that the . (here) directory contains all this files/dirs:
     fileA
     fileB
     dirA
     dirA/AfileA
     dirA/AfileB
     dirA/dirB
     dirA/dirB/chown
     dirA/dirB/BfileA
     dirA/dirB/BfileB

1.- for the simpler of the commands:
    find . -uid 502 -exec chown bob {} \;
       the commands started by find on each spawn process will be:
       chown bob "fileA"
       chown bob "fileB"
       chown bob "dirA"
       chown bob "dirA/AfileA"
       chown bob "dirA/AfileB"
       chown bob "dirA/dirB"
       chown bob "dirA/dirB/chown"
       chown bob "dirA/dirB/BfileA"
       chown bob "dirA/dirB/BfileB"
    Only if there is a file named "chown" which is executable and the
    path has a `.' (dot or "here") before where the correct "chown"
    executable file is, it will be executed.

    The "chown" file in dirB creates no problem here.

    Of course, if the calling has a fixed path:
        find . -uid 502 -exec /bin/chown bob {} \;
    this particular issue does not happen.


2.- The next command:
    find . -uid 502 -exec chown bob {} +
       will start only one command (on one line):
       chown bob "fileA" "fileB" "dirA" "dirA/AfileA" "dirA/AfileB" "dirA/dirB" "dirA/dirB/chown" "dirA/dirB/BfileA" "dirA/dirB/BfileB"

    The "chown" file in dirB creates no problem here.

3.- The final command:
    find . -uid 502 -execdir chown bob {} +
    will ask the shell to execute the following commands:
    in the original dir:   chown bob "fileA" "fileB" "dirA"
    cd dirA:               chown bob "AfileA" "AfileB" "dirB"
    cd dirA/dirB:          chown bob "chown" "BfileA" "BfileB"

    The "chown" file in dirB could be interpreted as the command
    to execute if a `.' (dot) path exists.

Now, if you don't believe or understand what I said, just create the
directory structure explained above and execute:
    find . -user $USER -exec    echo chown bob {} \;
    find . -user $USER -exec    echo chown bob {} +
    find . -user $USER -execdir echo chown bob {} +

The echo command will present the commands sent to bash to be executed. :-)

you could also try
    find $PWD -user $USER -exec    echo chown bob {} \;
    find $PWD -user $USER -exec    echo chown bob {} +
    find $PWD -user $USER -execdir echo chown bob {} +

which works differently :-)


Sadly (or gladly) my environment does not allow me to execute things if
a "relative" path is in the $PATH variable, it presents this error:
    " find: The relative path «./» is included in the PATH environment
      variable, which is insecure in combination with the -execdir action
      of find.  Please remove that entry from $PATH "


Other loose ends and bits, not very important though:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> On 2013-01-31 3:57 AM, Mark Cross wrote:
>> On the grc.techtalk.linux
>> from  sschinke@gmail.com, Sam Schinke decided to say:
>>
>>> On 2013-01-30 4:16 AM, Mark Cross wrote:
>>> [...]
>>>> And finally, the command I gave you:
>>>>       find /home/bob -uid 502 -execdir chown bob {} +
>>>> executes the chown command on a list of files per directory, not a long
>>>> one list. That will prevent that the file list becoming too long to be
>>>> processed in only one command.
>>>
>>> -execdir also has the added advantage of executing the commands from the
>>> directory containing the files, which is more secure than executing from
>>> the directory where find is invoked.
>>
>> True. That is what the Fine Manual says.
 
> I mentioned it, but I'm not completely sure why it is dangerous.

Read above.

> I guess if you ran "-exec {}" without a command, it might interpret the
> filenames as commands?

only the first file in the list would be interpreted as a command.

> It seems silly to run -exec like that, though,

yes, silly indeed.

> unless you *wanted* to execute a list of filenames as commands.

That could be a reason, to have the first file be the command to
the rest of files. I can't imagine a situation in which that would
be required though.


> Or maybe there is a way for maliciously chosen filenames to escape from an
> invocation like "-exec chown bob:bob {} +".

Oh yes, there is, read from the start.

> I thought there were limits on legal characters in filenames,
> though, for exactly this kind of reason.

No character flaw involved though, find does a good job of quoting the
file names involved in the exec part. There is an issue that you are
completely missing to see.
 
>>> You do have to watch out for using -execdir from a directory contained
>>> in the PATH, however.

>> Why that could be the case? Do you know?
 
> I assume for the same reason running -exec is dangerous. Of which
> I am not entirely clear, FWIW.

Well, you are the one who bought up the issue, and you have no idea why?
Good for you. Please read from the start to get the explanation.
 
>> The only reference in the Fine Manual is that there should be no `.'
>> (just a dot) entry in the $PATH as it would allow an attacker to execute
>> any command he like.

> Ah, the man page I was reading had this to say:

> Whereas some others say this:

Just pure noise Sam, nothing relevant there, except that you understood nothing of the problem before.

> Assuming they are warning about the same issue, and that the former was
> updated to become the latter, then I have misinterpreted which folder is
> meant by "current directory" in the first example.

Yes, you misinterpreted that.

> I was able to find this page that explains why -exec is dangerous, but
> that still hasn't clarified for me why -execdir introduces the
> possibility of arbitrary code execution if $PATH is poorly chosen. That
> seems like a poor tradeoff.

> https://www.gnu.org/software/findutils/manual/html_node/find_html/Deleting-Files.html

What they explain there is the difference between //exec//xargs//execdir // and execdir {} +

But they miss the issue I presented above because the used a static path to
the command to be executed. They used:
        find . -user $USER -exec  /bin/chown bob {} \;

The fact of naming the command in full (/bin/chown) instead of short (chown)
just breaks the exec or execdir issue.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
> It seems to be part of the standard manual, just not the man page, if
> that makes sense.

Yes it does make sense.

-- 
Mark Cross @ 01/31/2013 8:38 p.m.

The network is up.

0
Mark
2/1/2013 12:42:00 AM
On 2013-02-01 11:42 AM, Mark Cross wrote:
> On the grc.techtalk.linux
> from  sschinke@gmail.com, Sam Schinke decided to say:
[...]
> 1.- for the simpler of the commands:
>      find . -uid 502 -exec chown bob {} \;
>         the commands started by find on each spawn process will be:
>         chown bob "fileA"
[...]
>      Only if there is a file named "chown" which is executable and the
>      path has a `.' (dot or "here") before where the correct "chown"
>      executable file is, it will be executed.

So if I follow, for -exec, there is the risk of execution of arbitrary 
code only if an attacker has have write permission to the directory 
where find itself is executed and "." is in the path. An attacker could 
copy the filenames of every executable in /bin or something. Mind you, 
if they have write permission to the folder you are executing *anything* 
from, and "." is in the path, it seems that they could just create an 
executable "find" in that case.

With -execdir, some of the same holds true, except an attacker need only 
have write permission to a folder where a file is found, a significantly 
lower barrier, and with no short-cut by just creating a copy of "find" 
in a random sub-folder.

>      The "chown" file in dirB creates no problem here.
>
>      Of course, if the calling has a fixed path:
>          find . -uid 502 -exec /bin/chown bob {} \;
>      this particular issue does not happen.

Excepting that calling "/bin/find" is needing in cases where 
"/bin/chown" is needed with -exec. I think that is just something 
fundamental in *nix -- if an attacker can get you to run commands from a 
directory they have control over, you are screwed.


[...]
> 3.- The final command:
>      find . -uid 502 -execdir chown bob {} +
>      will ask the shell to execute the following commands:
>      in the original dir:   chown bob "fileA" "fileB" "dirA"
>      cd dirA:               chown bob "AfileA" "AfileB" "dirB"
>      cd dirA/dirB:          chown bob "chown" "BfileA" "BfileB"
>
>      The "chown" file in dirB could be interpreted as the command
>      to execute if a `.' (dot) path exists.
 >
> Now, if you don't believe or understand what I said, just create the
> directory structure explained above and execute:
>      find . -user $USER -exec    echo chown bob {} \;
>      find . -user $USER -exec    echo chown bob {} +
>      find . -user $USER -execdir echo chown bob {} +

No, understood. I made the mistake of assuming that the security issue 
with -exec was the same as the issue with -execdir but with looser 
constraints or something, based on my misreading of that man page 
snippet I posted.

The issue with -exec is more esoteric. My understanding of the find 
manual is that it is to do with relative paths and the time delay after 
the files are "found" and before the command is executed. The filesystem 
can be modified in that time in a way that causes the wrong files to be 
modified.

My guess is that -execdir solves this by, in effect, changing into the 
directory not just before running the commands but before searching the 
contents of the directory. Or at least storing a pointer directly to the 
folder, otherwise the folder could be changed by an attacker as well, 
leaving the same problem in place.

[...]
> Sadly (or gladly) my environment does not allow me to execute things if
> a "relative" path is in the $PATH variable, it presents this error:
>      " find: The relative path «./» is included in the PATH environment
>        variable, which is insecure in combination with the -execdir action
>        of find.  Please remove that entry from $PATH "

Good idea, that.

[...]
>> unless you *wanted* to execute a list of filenames as commands.
>
> That could be a reason, to have the first file be the command to
> the rest of files. I can't imagine a situation in which that would
> be required though.

No, nor do I think the order of files in directories is something that 
can be strongly relied upon, either.

>> Or maybe there is a way for maliciously chosen filenames to escape from an
>> invocation like "-exec chown bob:bob {} +".
>
> Oh yes, there is, read from the start.

I'm pretty sure that -exec has no issue of this kind that merely 
executing find wouldn't also have.

>> I thought there were limits on legal characters in filenames,
>> though, for exactly this kind of reason.
>
> No character flaw involved though, find does a good job of quoting the
> file names involved in the exec part. There is an issue that you are
> completely missing to see.

Yep, obvious in retrospect.

>>>> You do have to watch out for using -execdir from a directory contained
>>>> in the PATH, however.
>
>>> Why that could be the case? Do you know?
>
>> I assume for the same reason running -exec is dangerous. Of which
>> I am not entirely clear, FWIW.
>
> Well, you are the one who bought up the issue, and you have no idea why?
> Good for you. Please read from the start to get the explanation.

I mentioned the warning because it was in the man page and a mention 
seemed like a worthy addition to your excellent efforts, including 
comparing -exec and -execdir. Especially since I recall some relatively 
recent discussions here of best-practices relating to $PATH.

>>> The only reference in the Fine Manual is that there should be no `.'
>>> (just a dot) entry in the $PATH as it would allow an attacker to execute
>>> any command he like.
>
>> Ah, the man page I was reading had this to say:
>
>> Whereas some others say this:
>
> Just pure noise Sam, nothing relevant there, except that you understood nothing of the problem before.

My point was that one was clear about what was in the path and the other 
ambiguous.

I'll just lie and claim I was distracted by the ambiguity and therefore 
couldn't figure out why code execution was possible. :P

[...]
>> I was able to find this page that explains why -exec is dangerous, but
>> that still hasn't clarified for me why -execdir introduces the
>> possibility of arbitrary code execution if $PATH is poorly chosen. That
>> seems like a poor tradeoff.
>
>> https://www.gnu.org/software/findutils/manual/html_node/find_html/Deleting-Files.html
>
> What they explain there is the difference between //exec//xargs//execdir // and execdir {} +

Under the section with the heading "10.1.5 A more secure version of 
-exec" they seem to explain a race condition that exists with -exec that 
does not exist with -execdir.

> But they miss the issue I presented above because the used a static path to
> the command to be executed. They used:
>          find . -user $USER -exec  /bin/chown bob {} \;

But no static path to /find, which should suffer from the same issue.

 >      find . -user $USER -exec    echo chown bob {} \;

If the current directory is /, and "." is in the path, then an attacker 
would need to either create /chown or /find to perform an attack against 
the above command (or any command, for that matter).

Now, write permission in / isn't that likely, but if you were in 
/home/bob, bob could trivially create a find and chown executable and do 
bad things in either case. To my mind, -exec with "." in the path is no 
more dangerous than just having "." in the path (which is to say, "." in 
the path is a terrible idea!).

Regards,
Sam
0
Sam
2/1/2013 2:39:56 AM
On 2013-02-01 1:39 PM, Sam Schinke wrote:
[...]
> Under the section with the heading "10.1.5 A more secure version of
> -exec" they seem to explain a race condition that exists with -exec that
> does not exist with -execdir.
[...]

https://www.gnu.org/software/findutils/manual/html_node/find_html/Race-Conditions-with-_002dexec.html

They explain it in some more detail. They then go on to completely 
contradict the man page entries for -execdir and say that find checks 
for the current directory being in the path prior to executing anything 
with -execdir. Hah. I find the disconnect between the manual and the man 
pages amusing.

Regards,
Sam
0
Sam
2/1/2013 2:53:16 AM
Reply:

Similar Artilces:

Please! Please! Please! Please! Help
I am very new to the Linux/Oracle/Perl world coming from a many many years of a Windows environment. I have self learned everything I know about this new environment. So far I have successfully installed Redhat 9 in an Intel box and have gotten Oracle 9I running correctly. I can run scripts via sqlplus, sqlldr etc. Perl (I think ver. 5.8.0) is running on the box and I can create and run scripts that do other processes but I have had no success in getting Perl to connect to the Oracle database to generate some reports. With my experience using MS-SQL there is no major issues w...

Please help, please, please
This is driving me crazy, I cannot find what is wrong with this thing. I have a custom module and after post back none of the following are processed : user, login, visibility, title, solpartmenu. None of it gets processed. Please help meYou died at the very end of your life Are you saying a skin, or a custom module. With custom modules you should not be dealing with tokens, I don't think they have anything to do with it. What module are you working with? No I am not using tokens, container skin is Classic skin that comes with DNN. I am talking about custom module. It has a text box a...

Please Please Please help me out...
hello, our netware 6.0 file server can'nt connect the internet, we have a proxyserver with netware 6.0 and BM 3.8. can somebody please help me out i'm a newbie. hello, our netware 6.0 file server can'nt connect the internet, we have a proxyserver with netware 6.0 and BM 3.8. can somebody please help me out i'm a newbie. the file server ip is 192.20.71.1 the proxy ip is 192.20.71.252 akula_26@hotmail.com wrote: > our netware 6.0 file server can'nt connect the internet, we have a > proxyserver with netware 6.0 and BM 3.8. can somebody please hel...

Please Please Please help
I am trying to populate a second dropdownlist from the first. both dropdownlists are displayed inside the datagrid. I can populate the first one easily but my onselectedindexchanged event states: Object reference not set to an instance of an object. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.NullReferenceException: Object reference not set to an instance of an object. Source Error: Line 195...

Please Please Please HELP!!!
I have posted this many times to no avail. I managed to publish the site somwhere despite being an intranet. I have published the site just in case I was not clear in explaining the prblem that I was having. Go to http://www.undg.ks.undp.org/test/login.aspx and login with userid: test password: test Click on 'search for cases' and then click on the search button (the dates are inserted automatically). Click on the paging and try to go to page 12,13,14,15 - any page really above page 11. Can you see what is happening? Below is the code that I am using. Please tell me wha...

Help!please help!how to uninstall linux open suse?
i have installed open suse not sure which version on a brand new system. i want to uninstall and install vista home premium 64. i have nothing i want to save on system and want a fresh start on vista. i have tried booting vista and going through install but it eventually comes up with an error that the partitions are not ain the correct format. i think i need to wipe the system clean then install? -- garyizzle ------------------------------------------------------------------------ You need to format your disk to ntfs I find that the only way vista seems to accept ...

Spanish accents!! please please help help!!
Hi all,     I`m using a javascript to open a window, see the example:      (in javascript)      title = "?Title=Categorías"       window.showmodaldialog("/report.asp",title)So when the the window open, i see in the page "Categorías", so what happens with the accent! Please  i ask before but i think my question wasn´t clear, u hope you guys understand better :DThanks for allCMWhere is the Spanish Language in the user profile? Hi, Make sure your pages are saved and serve...

rEpOrtvIEwEr hElp plEAsE reportviewer help please
ok I am having troubles add an expression to a field in a the table on my Report viewer page(rdlc). ok I have everything that is suppose to be in the vb.net at the app_code level but the expressions does not show in the rdlc. does any one know what i am talking about and if you do please help me!Thank You in advance Hi, From your description, it seems that you want to add expression to your filds in RDLC report, right? You need to open your RDLC file in visual studio, from the toolbox, you can add report items such like textbox, table to your report. Right click on an...

HELP!HELP!HELP!HELP!HELP!HELP!
I was using powerbuilder4.0 a month ago I decided that migrate it to PB7.0 When Im using 4.0, in datawindows I was using extra colums additional to stores procedure. I mean that for example; stored proc. returns 4 columns. I was using 2 extra columns to modify something from client. But I cant do the same thing in PB7.0. How can I do that??? please help. Gurcan yucel gyucel@infina.com.tr "I was using 2 extra columns to modify something from client." what does this mean that you added to the result set? If so then just goto the SQL and add a param. Then set the...

Help Help Help Help Help Help
------=_NextPart_000_0074_01C2960E.EBE13A30 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Can someone please help me. I have installed mysql on Unix Solaris and it works fine I have Perl installed previously which is working and with which i have installed other perlmodules before and are working fine. I have also installed DBI and it works fine with the Sybase drivers which i have installed. When i tried to install the Msql-Mysql-modules-1.2219 drivers i get the following error. # make /usr/local/bin/perl -Iblib/arch -Iblib/lib -I/...

What is this all about? Please please help!
        Dim btnEdit As Button = newJob.FindControl("btnEdit")        btnEdit.Visible = "True"As you can see my webform is called "newJob" and the Button control i am trying to access is called btnEdit i have an if statement which checks if the user is in a certain role and then i want to display the control but i getObject reference not set to an instance of an object.I know this is an error meaning in cannot find btnEdit, but i use this way of accesing my controls all the time and it works fine is it just asp:buttons that...

Please...please...help
Hi, Can somebody please teach me how to create a time schedule/task list where it can display the time and the task for a particular day/week/month. Eg: Monday 8.00 - 9.00am Appointment with doctor 9.00 - 10.00am Meeting Outlook's calander already has everything of this. Why reinvent the wheel? That is a huge request for this forum. . there are also several controls available which let you do all kinds of good calendar stuff but most worth having are not free. What I will do is share with you some stuff that helped me. . . you could simply create a datal...

Please, please help.
My web page would not show, so I wrote and uploaded a small config file. The index.aspx file will show now. Now I have a problem that is horrible. When My website is displayed, it is really, really slow to load. All images are displayed one after another it appears. For example, my toolbar buttons will display, coming in about once every second. Then other images succesively come in slow. It looks so bad. Imagine 1996 with a slow pc accesing the web. Just like that. What can I do? Is there a way to cache everything in a page before it is actually displayed to the screen. I am rea...

Please, Please Help!
I have been trying to figure this out for weeks now and I dont know what is going on. I am trying to insert a row into a database and for some reason it gives me this error. I really need help on this, I have been trying to figure this out for SO long and I can't find anything anywhere.     Unable to open the physical file "C:\ASP.NET\App_Data\dbInfo.mdf". Operating system error 5: "5(Access is denied.)".An attempt to attach an auto-named database for file C:\ASP.NET\App_Data\dbInfo.mdf failed. A database with the same name exists, or specified file canno...

Web resources about - useradd ? help... please! - grc.techtalk.linux

Group identifier - Wikipedia, the free encyclopedia
In Unix-like systems, multiple users can be categorized into groups . POSIX and conventional Unix file system permissions are organized into ...

SELinux Lockdown Part Eight: Unconfined
The unconfined space is for processes that require almost unrestricted access. Almost because writable memory execution is not permitted. The ...

Commands tagged whatthecommit - commandlinefu.com
Great UNIX/Bash commands tagged with whatthecommit - see these and many other invaluable command-line nuggets at commandlinefu.com

Configuring a secure Ubuntu Linux Virtual Private Server
... the default /bin/sh , (I just prefer bash to the plain sh) and finally set the password for him. $ groupadd dev $ mkdir /home/someuser $ useradd ...

tiwilliam/istatd · GitHub
istatd - Serving statistics to the iPhone application from Linux, Solaris and FreeBSD.

How to Setup a Linux, Nginx, uWSGI, Python, Django Server
... started by installing uWSGI. ssh into the server and sudo apt-get install uwsgi uwsgi-plugin-python Create a user to run uWSGI: sudo useradd ...

My workstation OS: FreeBSD
When you have to get work done (especially if you're self-employed) it's important to choose the right tools to enhance your productivity. If ...

Revised Slackware keeps it simple
At a time when new and buggy features cloud basic computer functions, it's refreshing to see a new release of a distro like Slackware that stays ...

木木客个人网站 - 记录生活每一天
sudo apt-get install 软件名 安装软件命令 sudo nautilus 打开文件(有root权限) su root 切换到“root” ls 列出当前目录文件(不包括隐含文件) ls -a 列出当前目录文件(包括隐含文件) ls -l 列出当前目录下文件的详细信息 ...

System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones
Documentation Home > System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones System Administration ...

Resources last updated: 12/23/2015 7:21:45 AM