Unable to connect to DBus session bus after dropping privileges from a setuid binary

Manish Narang Manish.Narang at kpit.com
Wed May 18 14:20:55 UTC 2016 

Hi,


Let me explain my requirement to begin with.

I have an application that needs CAP_NET_ADMIN to use setsockopt on a netlink socket. For this I thought of starting as root, and then dropping to user 1000 after claiming a subset of essential capabilities.

My Application also needs to be connected to the DBus Session Bus.

The binary is setuid'd as below


> -rwsr-xr-x 1 root   root   2467914 May 18 19:12 my-binary

So the process starts with root priviledges, acquires the necessary priviledges required and then does a setuid to user 1000.
After that, a DBus connection is attempted and it fails.

// Function to acquire priviledges and drop everything to user 1000
void kservicebase::setPermissions()
{
cap_t cap_cur_p;
cap_t cap_p;
cap_flag_value_t cap_ok;

cap_value_t cap_admin = CAP_NET_ADMIN;

cap_cur_p = cap_get_proc();
if (!cap_cur_p) {
perror("netlinksocket: cap_get_proc");
exit(-1);
}

cap_p = cap_init();
if (!cap_p) {
perror("netlinksocket: cap_init");
exit(-1);
}

LOG1((TEXT("GetUID = %d\n"),geteuid()));

LOGERR((TEXT("Before\n")));
cap_ok = CAP_CLEAR;
cap_get_flag(cap_cur_p, CAP_NET_ADMIN, CAP_PERMITTED, &cap_ok);
LOG1((TEXT("NET_ADMIN = %d\n"),cap_ok));
cap_ok = CAP_CLEAR;
cap_get_flag(cap_cur_p, CAP_NET_RAW, CAP_PERMITTED, &cap_ok);
LOG1((TEXT("NET_RAW = %d\n"),cap_ok));

cap_ok = CAP_CLEAR;
cap_get_flag(cap_cur_p, CAP_NET_ADMIN, CAP_PERMITTED, &cap_ok);

if (cap_ok == CAP_CLEAR)
cap_set_flag(cap_p, CAP_PERMITTED, 1, &cap_admin, CAP_SET);
else
LOGERR((TEXT("ERROR1 %d\n"),cap_ok));

if (cap_set_proc(cap_p) < 0) {
perror("ping: cap_set_proc");
exit(-1);
}

LOG1((TEXT("Dropping root\n")));

LOG1((TEXT("Before GetUID = %d\n"),getuid()));
LOG1((TEXT("Before GetEUID = %d\n"),geteuid()));
LOG1((TEXT("Before GetGID = %d\n"),getgid()));
LOG1((TEXT("Before GetEGID = %d\n"),getegid()));

LOG1((TEXT("Dropped root = %d\n"),setuid(getuid())));
LOG1((TEXT("Dropped group= %d\n"),setgid(getgid())));

LOG1((TEXT("After GetUID = %d\n"),getuid()));
LOG1((TEXT("After GetEUID = %d\n"),geteuid()));
LOG1((TEXT("After GetGID = %d\n"),getgid()));
LOG1((TEXT("After GetEGID = %d\n"),getegid()));

LOGERR((TEXT("After\n")));
cap_ok = CAP_CLEAR;
cap_get_flag(cap_cur_p, CAP_NET_ADMIN, CAP_PERMITTED, &cap_ok);
LOG1((TEXT("NET_ADMIN = %d\n"),cap_ok));
cap_ok = CAP_CLEAR;
cap_get_flag(cap_cur_p, CAP_NET_RAW, CAP_PERMITTED, &cap_ok);
LOG1((TEXT("NET_RAW = %d\n"),cap_ok));
}

The dbus calls start after the above function is executed. The session bus ID is returned as 0 which is incorrect.

// Log output - Important lines marked with *****

22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:142|Setting appropriate permissions
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:162|GetUID = 0
22:35:00.639: E|  612|  612|Success|setPermissions at kservicebase.cpp:165|Before
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:168|NET_ADMIN = 1
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:171|NET_RAW = 1
22:35:00.639: E|  612|  612|Success|setPermissions at kservicebase.cpp:179|ERROR1 1
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:194|Dropping root
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:196|Before GetUID = 1000
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:197|Before GetEUID = 0 *****
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:198|Before GetGID = 1000
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:199|Before GetEGID = 1000
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:201|Dropped root = 0
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:202|Dropped group= 0
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:204|After GetUID = 1000
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:205|After GetEUID = 1000 *****
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:206|After GetGID = 1000
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:207|After GetEGID = 1000
22:35:00.639: E|  612|  612|Success|setPermissions at kservicebase.cpp:209|After
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:212|NET_ADMIN = 1
22:35:00.639: 1|  612|  612|-    |setPermissions at kservicebase.cpp:215|NET_RAW = 1
unix:abstract=/tmp/dbus-QB8cEiSybh // This is just a system("echo $DBUS_SESSION_BUS_ADDRESS"); call to indicate that the bus address is available in the program environment variables. *****
22:35:01.641: 3|  612|  612|-    |GetIPCInstance2 at ipcfactory.cpp:40|Enter GetIPCInstance
22:35:01.641: 3|  612|  612|-    |Connect at dbusipc.cpp:140|Enter
22:35:01.641: M|  612|  612|DBus           |Connection ID for Session 0 Bus *****
22:35:01.641:DBus|  612|  612|Success|Connect at dbusipc.cpp:170|Unable to connect to the Session bus for error org.freedesktop.DBus.Error.NotSupported
22:35:01.641:ccf-tests|  612|  612|Success|main at main.cpp:81|Session bus Connection initialization failed



I'm unable to figure why I'm unable to connect to the session bus despite dropping to user 1000. Tried with both setuid and seteuid. Makes no difference. Can somebody help?

P.S - Apologies for shamelessly dumping code and logs here. What are the norms of sharing code in these mailing lists? Any formatting options? Or should I use pastebins?


Thanks and Regards,

Manish Narang

Technical Lead - Infotainment

Mobile : +918983509995 | manish.narang at kpit.com<mailto:manish.narang at kpit.com>

--------------------------------
KPIT|Web:  www.kpit.com<http://www.kpit.com>  | Social: Facebook<http://www.kpit.com/facebook> | Twitter<http://www.kpit.com/twitter> | Linkedin<http://www.kpit.com/linkedin> | Youtube<http://www.kpit.com/youtube>

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/dbus/attachments/20160518/c5944bcf/attachment.html>

More information about the dbus mailing list