[lang]

Present Perfect

Personal
Projects
Packages
Patches
Presents
Linux

Picture Gallery
Present Perfect

suid and /proc ?

Filed under: General — Thomas @ 9:54 am

2007-9-6
9:54 am

I was writing a nagios check that checks how many fd’s a process has open.  Naively I wrote it as a program that checks /proc/<pid>/fd, thinking that I could just set the program suid root and things would work.

But they don’t.  Apparently something in the kernel prevents a suid program to do this – I’ve found some posts that mention various patches and pieces of kernel.  I’m not all that interested in the why, but can anyone suggest an alternative approach to make a check like this work ?

13 Comments »

  1. Let the suid proc launch something else (or even itself?), which afaik then properly runs as root?

    Comment by Dennis — 2007-9-6 @ 10:27 am

  2. How about wrapping lsof?

    Comment by Christian Hergert — 2007-9-6 @ 10:46 am

  3. You should try and call lsof with the right parameters. lsof -p lists all file descriptors of a process, including mmapped files.

    Comment by Götz Waschk — 2007-9-6 @ 11:13 am

  4. You could use “lsof” for that.
    Its a very very very nice application just for that.. listing open files.
    – system wide – indicating wich process has each files open, for _every_ process
    – or for a given process
    It can also restrict to IP(v4 or v6) sockets, unix sockets, real files, fifo’s.. etc..

    Comment by Miguel Sousa Filipe — 2007-9-6 @ 11:22 am

  5. Hm, lsof has the same problem:
    /proc/10880/fd (opendir: Permission denied)

    So it looks like lsof just does pretty much the same thing.

    Comment by Thomas — 2007-9-6 @ 12:25 pm

  6. Could you use sudo or su to run the command instead of suid?

    john

    Comment by john — 2007-9-6 @ 12:46 pm

  7. Have you tried to sudo your command ?

    cat /etc/sudoers :

    ALL= NOPASSWD: /way/to/my/script.sh

    then sudo /way/to/my/script.sh

    Comment by Yannig — 2007-9-6 @ 1:15 pm

  8. Is that a program (an ELF executable) or a script (a text file that starts with #!) that you wrote? The suid bit doesn’t work for scripts (this closes a security problem).

    lsof gives the same error message if I run it as a regular user, but works as root.

    Do you perhaps run a distribution such as Fedora that limits the root account with SELinux?

    Comment by Marius Gedminas — 2007-9-6 @ 1:18 pm

  9. This works for me. I hope it’s what you was looking for:
    http://fatal.se/fulhack/checkfd.c

    Comment by Fatal — 2007-9-6 @ 1:20 pm

  10. If you need root privileges, put in your /etc/sudoers something like:

    nagios ALL=NOPASSWD:/bin/lsof -p

    And call ‘sudo lsof -p’ from your nagios check script.

    Comment by Dennis Krul — 2007-9-6 @ 2:23 pm

  11. Let me guess, it was a script that you were using as a nagios plugin?

    Most modern shells flatly refuse to honor suid bits on shell scripts for security reasons.

    Comment by Jeff Schroeder — 2007-9-6 @ 7:19 pm

  12. I ran into a similar problem. This can be solved by creating a simple C programme that calls the script. The privilage escalation occurs at the C programme.

    More details: http://blog.technomancy.org/2007/05/01/creating-simple-c-wrappers-for-shell-scripts-to-setuid-them/

    Comment by Rory McCann — 2007-9-7 @ 1:18 am

  13. Rory, you mean privilege elevation. Escalation is something different ;-).

    Comment by Rudd-O — 2007-9-14 @ 7:34 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

picture