[radium] permission denied when radium is running as non-root

Michael Hornung hornung at cac.washington.edu
Fri Jun 8 11:52:16 EDT 2007


I think it would be reasonable to chown the file to the UID that argus 
will be running as.  If a directory in the file's path does not have 
sufficient permissions, that's a much easier problem to resolve.

-Mike

On Fri, 8 Jun 2007 at 11:49, Carter Bullard wrote:

|Hey Robin,
|When you specify an output file on the command line, as we parse the
|command line, we immediately test to see if we can create the output
|file.  This is because it may be a while before data arrives, and you don't
|want to start, wait for data, and then realize you can't create the file.
|All ra* programs, including radium(),  create the directory path needed
|to be able to use the file specified, which complicates matters just a bit.
|
|In your situation you are doing this checking as root.  The bug is that we
|leave the path and file we create, and then use that file later on, by
|appending to it.  So you create as root, with minimal permissions and
|try to append later as someone else.
|
|This is a bit less of an issue if the file already exists, so .....
|
|Ok, I have fixed this problem but I don't like it.  I have put an
|exception so that radium() can't create the directory structure
|to satisfy the path of the desired output file, to eliminate the possibility
|of root creating paths, and then the setuid causes radium to fail.
|
|I could delay all of this processing,  so that the new user id is used when
|the checking is done, but you get an interesting problem with how
|long do you want to wait before you find out that you can't create the file?
|
|If there are opinions about this approach, speak up now!!!!!!!
|
|Carter
|
|
|
|On Jun 7, 2007, at 4:48 AM, Robin Gruyters wrote:
|
|> Hello,
|> 
|> I'm trying to run Radium under a non-root user and writing the output to a
|> file.
|> 
|> Just before the process get spawned to non-root user, it creates the file
|> with root owner and stops. (due to permission denied)
|> 
|> # ls -ld /nsm/argus
|> drwxr-x---  2 sguil  wheel  512 Jun  7 10:30 /nsm/argus
|> # ls -l /nsm/argus/test.argus
|> ls: /nsm/argus/test.argus: No such file or directory
|> # /usr/local/sbin/radium
|> Starting radium.
|> radium[51234]: 10:44:52.796318 started
|> # ps ax|grep radium | grep -v radium
|> #
|> # grep radium /var/log/all.log
|> Jun  7 10:44:31 nsm-01 radium[51219]: 10:44:31.013046 ArgusInitOutput: open
|> /nsm/argus/test.argus: Permission denied
|> Jun  7 10:44:31 nsm-01 radium[51219]: 10:44:31.012525 started
|> # ls -l /nsm/argus/test.argus
|> -rw-r--r--  1 root  wheel  0 Jun  7 10:44 /nsm/argus/test.argus
|> #
|> 
|> Here is my test radium.conf file:
|> RADIUM_DAEMON=yes
|> #
|> RADIUM_MAR_STATUS_INTERVAL=60
|> #
|> RADIUM_ARGUS_SERVER=localhost:5611
|> RADIUM_ARGUS_SERVER=localhost:5612
|> #
|> RADIUM_OUTPUT_FILE=/nsm/argus/test.argus
|> #
|> RADIUM_SET_PID=yes
|> RADIUM_PID_PATH=/var/run/nsm
|> #
|> RADIUM_SETUSER_ID="sguil"
|> RADIUM_SETGROUP_ID="sguil"
|> 
|> Kind regards,
|> 
|> Robin Gruyters
|> Network and Security Engineer
|> Yirdis B.V.
|> I: http://yirdis.com
|> P: +31 (0)36 5300394
|> F: +31 (0)36 5489119
|> 
|> 
|> 
|> 
|
|Carter Bullard
|CEO/President
|QoSient, LLC
|150 E. 57th Street Suite 12D
|New York, New York 10022
|
|+1 212 588-9133 Phone
|+1 212 588-9134 Fax
|
|



More information about the argus mailing list