[ITP] libsuexec 1.0
Sat Aug 16 08:48:00 GMT 2014
On Aug 16 10:05, D. Boland wrote:
> Hi group,
> This is not an existing package, but a spin-off project from porting
> Sendmail and Procmail to Cygwin. These programs, as you may or may not
> know, rely heavily on the setuid mechanism (impersonating as another
> user). More formally, this is called 'running as an unprivileged
> user' in Linux and 'privilege separation' in OpenBSD. In Cygwin, this
> mechanism is already implemented in the ssh daemon.
> Sendmail takes this idea to the extreme. It starts up as the root user
> and waits for connections. On connection, it starts the 'queue runner'
> program as an unprivileged user called 'smmsp', which handles the
> conversation with the remote e-mail client.
> If the incoming e-mail has to be delivered locally (stored on disk),
> the queue runner starts the procmail program, which in turn switches
> to the actual user the e-mail is meant for and stores it in the user's
> So, for instance sending an e-mail to myself involves switching
> through three users: root -> smmsp -> daniel
> The problem ----------- Up to WinXP and Win2002, porting source code
> for Cygwin which performed this switching of users, wasn't a big
> In Windows, it is the 'SYSTEM' user which starts up most services,
> thus in effect acting as the Unix 'root' user. The difference is that
> SYSTEM has uid '18', while root has uid '0' in Unix.
> So, if porting from Unix to Cygwin one could just look for all
> occurances of uid '0' and replace them with '18'. Actually, this
> technique has been used to create the current Cygwin port of the
> Procmail program.
> As of Win7 and Win2003 this will no longer work. For security reasons,
> the privilege needed to impersonate another user (called
> 'SeCreateTokenPrivilege') has been removed from the SYSTEM user.
> Services (daemons) who need impersonation now have to be started by
> non-SYSTEM users, which have been put in the 'Administrators' group
> and granted the SeCreateTokenPrivilege. This works for most suid
> software, like the Apache webserver, but not for Sendmail and
> Both programs *enforce* what is called the Capabilities model. This
> means that both programs actually check if they are ran by root and if
> not, refuse to deliver e-mail. So, simply replacing '0' with '18' in
> the source code has no effect.
> The solution ------------ The solution to this problem turns out to be
> very simple and elegant: *tell* Sendmail and Procmail who is the root
> user by overriding functions which involve getting or setting user
> For instance: make the getuid() function return '0' when the actual
> user id is '18' and make the setuid() function change to uid '18' if
> the requested uid is '0'. Take this idea one step further and Sendmail
> and Procmail become 'multi-root aware'.
Now I *finally* understand what you mean with "multi-root". Duh.
> I created this library to do exacly that. On startup it assumes the
> root user id is '18' (SYSTEM) and the root group id is '544'
> (Administrators). It overrides the original getuid(), getgid(), etc.
> functions to return '0' if the actual uid/gid are '18' or '544'.
> The library makes its program 'multi-root aware' by checking if the
> non-SYSTEM user is a member of the 'Administrators' group and if so,
> simply replacing *its* uid and gid to be '0'. This totally satisfies
> Sendmail and Procmail.
> More importantly: I didn't have to change a single line in their
> source code (which would have been an awful lot), because the library
> is doing the swapping of uids/gids in the background.
> To use this library, put '#include <suexec.h>' and '-lsuexec' at a
> strategic location in your source code and Makefile. To make your
> program 'multi-root' aware and even do suid and/or sugid, place a call
> to 'suexec(argv)' in your 'main' function and set the suid and/or
> sgid bits on the resulting binary.
> All GTG's are welcome...
This looks neat. It doesn't cover the acl(2) family of functions,
but these are seldom used anyway.
I have just a few small nits.
- suexec.h neglects to declare most of the su_* functions. This doesn't
seem much of a problem at first, but it is when using this from C++,
or when running a build with -Werror. May I suggest to declare all
su_* functions in suexec.h?
- The expression "multi-root" doesn't have a known meaning. The
description text in setup.hint doesn't help a lot either. In a way it
claims that setuid/setgid isn't available without this package, which
is wrong, and it uses the expression "multi-root" by way of explaining
it. Along these lines...
- ... it would be much more helpful if you could explain what the
package is doing, basically the full content of this mail of yours I'm
just replying to, in a README file under /usr/share/doc/suexec/. Keep
in mind that the description text in setup.hint is (still) not visible
from setup-<arch>.exe, thus almost nobody will read it. Also, to
understand what you mean by "multi-root", such a longer description in
a proposed README file is really necessary.
Does that make sense?
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: not available
More information about the Cygwin-apps