SUID? NOSUID?

Having issues with your DietPi installation or found a bug? Post it here.
Post Reply
PDXpi
Posts: 13
Joined: Fri Apr 12, 2019 11:17 pm

NOSUID?

Post by PDXpi »

I'm installing BackupPC from source onto DietPi v6.34.3 and I've run into a problem:

BackupPC requires that the CGI script BackupPC_Admin be executed as the BackupPC user (i.e., backuppc). However the main partition (mmcblk1p1) doesn't seem to allow SUID executables!

I came to this conclusion using something similar to the troubleshooting steps described on the BackupPC FAQ:

  1. I created a simple shell script that contains only the command `whoami`:

    Code: Select all

    dietpi@backuppc:~$ sudo cat /root/whoami.sh
    #!/bin/bash
    
    whoami ;
  2. I made the backuppc user account the owner of the script; made the script executable, and; set the Sticky Bit:

    Code: Select all

    dietpi@backuppc:~$ sudo ls -l /root/whoami.sh
    -rwsr-xr-x 1 backuppc backuppc 22 Jan 15 17:43 /root/whoami.sh
However: When I execute the script it reports that it is executing as the user that issued the command (i.e., root):

Code: Select all

dietpi@backuppc:~$ sudo /root/whoami.sh
root
I've tried to manually override any "implied" nosuid by explicitly specifying that the main partition alllow SUID execution:

Code: Select all

dietpi@backuppc:~$ cat /etc/fstab | grep -v '^#' | grep -v '^$'
tmpfs /tmp tmpfs size=1956M,noatime,lazytime,nodev,nosuid,mode=1777
tmpfs /var/log tmpfs size=50M,noatime,lazytime,nodev,nosuid,mode=1777
UUID=1542112e-4bd9-4f4a-9660-e9405c792736 / ext4 noatime,lazytime,rw,suid 0 1
But that didn't change the behaviour.

What might be causing this unexpected behaviour? Ideas? Suggestion?

TIA,
Last edited by PDXpi on Sat Jan 16, 2021 4:19 am, edited 1 time in total.
Eric P.
Portland, Oregon
PDXpi
Posts: 13
Joined: Fri Apr 12, 2019 11:17 pm

Re: NOSUID?

Post by PDXpi »

FWIW: I repeated this exercise after moving the whoami.sh script to the $HOME of the user dietpi (i.e., /home/dietpi):

Code: Select all

dietpi@backuppc:~$ echo $HOME
/home/dietpi

dietpi@backuppc:~$ pwd
/home/dietpi

dietpi@backuppc:~$ ll
total 1796
-rw-r--r-- 1 dietpi   dietpi   657309 Jun 20  2020 BackupPC-4.4.0.tar.gz
-rw-r--r-- 1 dietpi   dietpi   289549 Jun 20  2020 BackupPC-XS-0.62.tar.gz
-rw-r--r-- 1 dietpi   dietpi   883808 Oct  8 14:11 rsync-bpc-3.1.3.0.tar.gz
-rwsr-xr-x 1 backuppc backuppc     22 Jan 15 18:38 whoami.sh
The results were functionally identical (i.e., The script did not execute as the user backuppc):

Code: Select all

dietpi@backuppc:~$ pwd
/home/dietpi

dietpi@backuppc:~$ ./whoami.sh 
dietpi
Ideas? Suggestions?
Eric P.
Portland, Oregon
PDXpi
Posts: 13
Joined: Fri Apr 12, 2019 11:17 pm

Re: NOSUID?

Post by PDXpi »

I also verified that the primary partition (mmcblk1p1) was mounted per the mount options specified in /etc/fstab:

Code: Select all

dietpi@backuppc:~$ grep UUID /etc/fstab 
UUID=1542112e-4bd9-4f4a-9660-e9405c792736 / ext4 noatime,lazytime,rw,suid 0 1

dietpi@backuppc:~$ mount | grep mmcblk
/dev/mmcblk1p1 on / type ext4 (rw,noatime,lazytime)
I suppose that suid isn't specified in the output above because it is the default behavior.

Am I correct about that?

TIA,
Eric P.
Portland, Oregon
PDXpi
Posts: 13
Joined: Fri Apr 12, 2019 11:17 pm

SUID? NOSUID?

Post by PDXpi »

I'm installing BackupPC from source onto DietPi v6.34.3 and I've run into a problem:

BackupPC requires that the CGI script BackupPC_Admin be executed as the BackupPC user (i.e., backuppc). However the main partition (mmcblk1p1) doesn't seem to allow SUID executables!

I came to this conclusion using something similar to the troubleshooting steps described on the BackupPC FAQ:

  1. I created a simple shell script that contains only the command `whoami`:

    Code: Select all

    dietpi@backuppc:~$ sudo cat /root/whoami.sh
    #!/bin/bash
    
    whoami ;
  2. I made the backuppc user account the owner of the script; made the script executable, and; set the Sticky Bit:

    Code: Select all

    dietpi@backuppc:~$ sudo ls -l /root/whoami.sh
    -rwsr-xr-x 1 backuppc backuppc 22 Jan 15 17:43 /root/whoami.sh
However: When I execute the script it reports that it is executing as the user that issued the command (i.e., root):

Code: Select all

dietpi@backuppc:~$ sudo /root/whoami.sh
root

dietpi@backuppc:~$ /root/whoami.sh 
dietpi
So I moved the whoami.sh script to the $HOME of the dietpi user account (i.e., /home/dietpi) and repeated the experiment:

Code: Select all

dietpi@backuppc:~$ echo $HOME
/home/dietpi

dietpi@backuppc:~$ pwd
/home/dietpi

dietpi@backuppc:~$ ll
total 1796
-rw-r--r-- 1 dietpi   dietpi   657309 Jun 20  2020 BackupPC-4.4.0.tar.gz
-rw-r--r-- 1 dietpi   dietpi   289549 Jun 20  2020 BackupPC-XS-0.62.tar.gz
-rw-r--r-- 1 dietpi   dietpi   883808 Oct  8 14:11 rsync-bpc-3.1.3.0.tar.gz
-rwsr-xr-x 1 backuppc backuppc     22 Jan 15 18:38 whoami.sh
The results were functionally identical (i.e., The script did not execute as the user backuppc):

Code: Select all

dietpi@backuppc:~$ pwd
/home/dietpi

dietpi@backuppc:~$ ./whoami.sh 
dietpi
So I've tried to manually override any "implied" nosuid by explicitly specifying that the main partition allow SUID execution. And then I rebooted:

Code: Select all

dietpi@backuppc:~$ cat /etc/fstab | grep -v '^#' | grep -v '^$'
tmpfs /tmp tmpfs size=1956M,noatime,lazytime,nodev,nosuid,mode=1777
tmpfs /var/log tmpfs size=50M,noatime,lazytime,nodev,nosuid,mode=1777
UUID=1542112e-4bd9-4f4a-9660-e9405c792736 / ext4 noatime,lazytime,rw,suid 0 1
But that didn't change the behaviour:

Code: Select all

dietpi@backuppc:~$ grep UUID /etc/fstab 
UUID=1542112e-4bd9-4f4a-9660-e9405c792736 / ext4 noatime,lazytime,rw,suid 0 1

dietpi@backuppc:~$ mount | grep mmcblk
/dev/mmcblk1p1 on / type ext4 (rw,noatime,lazytime)
What might be causing this unexpected behaviour?

Ideas? Suggestions?

TIA!
Eric P.
Portland, Oregon
User avatar
Joulinar
Posts: 4835
Joined: Sat Nov 16, 2019 12:49 am

Re: SUID? NOSUID?

Post by Joulinar »

Hi,

best to my knowledge setuid or setgid are not meant to execute the script as the user who owns it, it'S more to have the file automatically execute with the privileges of the file's owner. It's more to invoke file owner permission instead of executing it as the owner.

Maybe @MichaIng could explain it better than I do
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
PDXpi
Posts: 13
Joined: Fri Apr 12, 2019 11:17 pm

Re: SUID? NOSUID?

Post by PDXpi »

Joulinar wrote: Sun Jan 17, 2021 12:28 pmbest to my knowledge setuid or setgid are not meant to execute the script as the user who owns it, it'S more to have the file automatically execute with the privileges of the file's owner. It's more to invoke file owner permission instead of executing it as the owner.
Right - I see your point! i.e., The script's Effective UID is different that the Process Owner's UID.

From Wikipedia...
The effective UID (euid) of a process is used for most access checks. It is also used as the owner for files created by that process. The effective GID (egid) of a process also affects access control and may also affect file creation, depending on the semantics of the specific kernel implementation in use and possibly the mount options used.
I believe that Evi Nemeth's books (Linux Administration Handbook [2002, 2006], and UNIX and Linux System Administration Handbook [2010]) each have a section devoted to this very topic!

I'll have to devise a better test...
Eric P.
Portland, Oregon
User avatar
Joulinar
Posts: 4835
Joined: Sat Nov 16, 2019 12:49 am

Re: SUID? NOSUID?

Post by Joulinar »

you could try runing sudo -u <user> <command> to have the script executed as a specific user.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 3032
Joined: Sat Nov 18, 2017 6:21 pm

Re: SUID? NOSUID?

Post by MichaIng »

What I know is that nosuid is definitely not implied for the root partition, since otherwise sudo, su and a few other commands would not work at all ;).

Generally, I would not use the setuid/setgid bits, if you have any chance to avoid it, it limits the way you can control it too much. Use sudo instead as Joulinar suggested and via sudoers configuration you can precisely define which user is allowed to use it for which command :).
PDXpi
Posts: 13
Joined: Fri Apr 12, 2019 11:17 pm

Re: SUID? NOSUID?

Post by PDXpi »

Thanks for the suggestions, Everyone!

Unfortunately: BackupPC requires that the CGI script BackupPC_Admin be executed as the BackupPC user (i.e., SUID backuppc).

I'll continue to work the problem in my spare time. And I'll share my runbook - i.e., Instructions for for installing BackupPC from source onto DietPi - once it's "ready for Prime Time".

Thanks, again!
Eric P.
Portland, Oregon
Post Reply