Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Closes #122 - alternative autz scheme for control sockets #892

Closed
wants to merge 0 commits into from
Closed

Closes #122 - alternative autz scheme for control sockets #892

wants to merge 0 commits into from

Conversation

arr2036
Copy link
Member

@arr2036 arr2036 commented Jan 26, 2015

Uses file system permissions to manage socket access.

On non-linux systems the permissions set on a bound socket aren't enforced. We can work around that by setting permissions on the directory containing the socket.

Known Issues

  • We need to do some operations suid_up, which means the code has to be very careful not to make the server complicit in TOCTOU attacks. TOCTOU is mitigated against in multiple ways.
    • Using *at functions to prevent re-traversal of the control socket path, and using O_NOFOLLOW where appropriate.
    • Doing most operations as the user/group set in the control socket config (which could be root, but often won't be).
    • Getting the user to fix some issues manually, instead of stomping on directory ownership and permissions.
  • The directory and socket often can't be unlinked when the server exits. They'll usually be owned by a different user/group to the server, and the server suid_downs permanently at some point to stop runtime exploits. This isn't a huge issue, as unlike the existing code, the socket is always created with the same user/group (unless the config is changed) meaning if you do sudo radiusd -X then radiusd -f -lstdout you won't end up with permissions issues.
  • The server will not start unless running under root initially, or if the user/group on the socket happens to match the user starting radiusd. This could be made slightly better by not forcing unspecified uids/gids to root. That would allow someone to start the server if they had the control socket group as a supplementary group

Questions

  • Are the rad_seuid and rad_segid called correctly? I can see the suid_up/down functions are more complex and use non-posix functions. There must be a good reason for this.
  • Is the code TOCTOU safe, are there any likely attack vectors remaining? Could they be mitigated against?
  • Should we stat the control socket dir on new connections to make sure the permissions haven't changed, and reject users if they have?
  • Are there are obvious issues with controlling access this way that i've missed.

@arr2036 arr2036 closed this Feb 17, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@arr2036