[radium] permission denied when radium is running as non-root

Carter Bullard carter at qosient.com
Fri Jun 8 11:49:10 EDT 2007


Hey Robin,
When you specify an output file on the command line, as we parse the
command line, we immediately test to see if we can create the output
file.  This is because it may be a while before data arrives, and you  
don't
want to start, wait for data, and then realize you can't create the  
file.
All ra* programs, including radium(),  create the directory path needed
to be able to use the file specified, which complicates matters just  
a bit.

In your situation you are doing this checking as root.  The bug is  
that we
leave the path and file we create, and then use that file later on, by
appending to it.  So you create as root, with minimal permissions and
try to append later as someone else.

This is a bit less of an issue if the file already exists, so .....

Ok, I have fixed this problem but I don't like it.  I have put an
exception so that radium() can't create the directory structure
to satisfy the path of the desired output file, to eliminate the  
possibility
of root creating paths, and then the setuid causes radium to fail.

I could delay all of this processing,  so that the new user id is  
used when
the checking is done, but you get an interesting problem with how
long do you want to wait before you find out that you can't create  
the file?

If there are opinions about this approach, speak up now!!!!!!!

Carter



On Jun 7, 2007, at 4:48 AM, Robin Gruyters wrote:

> Hello,
>
> I'm trying to run Radium under a non-root user and writing the  
> output to a file.
>
> Just before the process get spawned to non-root user, it creates  
> the file with root owner and stops. (due to permission denied)
>
> # ls -ld /nsm/argus
> drwxr-x---  2 sguil  wheel  512 Jun  7 10:30 /nsm/argus
> # ls -l /nsm/argus/test.argus
> ls: /nsm/argus/test.argus: No such file or directory
> # /usr/local/sbin/radium
> Starting radium.
> radium[51234]: 10:44:52.796318 started
> # ps ax|grep radium | grep -v radium
> #
> # grep radium /var/log/all.log
> Jun  7 10:44:31 nsm-01 radium[51219]: 10:44:31.013046  
> ArgusInitOutput: open /nsm/argus/test.argus: Permission denied
> Jun  7 10:44:31 nsm-01 radium[51219]: 10:44:31.012525 started
> # ls -l /nsm/argus/test.argus
> -rw-r--r--  1 root  wheel  0 Jun  7 10:44 /nsm/argus/test.argus
> #
>
> Here is my test radium.conf file:
> RADIUM_DAEMON=yes
> #
> RADIUM_MAR_STATUS_INTERVAL=60
> #
> RADIUM_ARGUS_SERVER=localhost:5611
> RADIUM_ARGUS_SERVER=localhost:5612
> #
> RADIUM_OUTPUT_FILE=/nsm/argus/test.argus
> #
> RADIUM_SET_PID=yes
> RADIUM_PID_PATH=/var/run/nsm
> #
> RADIUM_SETUSER_ID="sguil"
> RADIUM_SETGROUP_ID="sguil"
>
> Kind regards,
>
> Robin Gruyters
> Network and Security Engineer
> Yirdis B.V.
> I: http://yirdis.com
> P: +31 (0)36 5300394
> F: +31 (0)36 5489119
>
>
>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070608/165d8f24/attachment.html>


More information about the argus mailing list