[SOLVED] Thunar "Open root terminal here" solution security issues

catkin · 11-16-2010, 03:16 AM

Hello

I've developed Thunar custom actions that provide "Open root terminal here" and "vi as root" but am concerned about security.

At the core of the mechanism, a non-root Thunar user writes a temporary file and then starts a terminal emulator which runs su - and (after su authentication) executes bash with --rcfile <temporary file>. Thus root executes commands in the temporary file which is writeable by a non-root user.

The temporary file is exposed for as long as it takes to create and populate it and for the user to enter root's password and press Enter plus authentication and bash startup time. To mitigate the risk the temporary file is created using /usr/bin/mktemp so has a randomised name and 600 permissions.

Would it be possible for a non-root user that had been able to assume the user's credentials (a better word?) to detect the file creation (inotify or otherwise?) and thus modify the file and have arbitrary commands executed as root? If so can this be solved?

Best

Charles

sweetfa · 11-16-2010, 03:46 AM

Firstly - if you are only mktemp'ing the filename, the filename will be easy to guess if someone is familiar with what you are doing.

Aside from the fact you are giving a user carte blanche to do what they like (they can put whatever they like in the file) the file is also not owned by root. Perhaps it is better that the sudo happens for the edit as well and the file is owned by root. That way at least you could restrict it more than what you have at the moment.

Which is more likely, someone figuring out an individual user access or root access.

Personally I would allow a certain set of commands using sudoers file rather than the approach you are taking.

catkin · 11-18-2010, 05:05 AM

Quote:

Originally Posted by sweetfa

Firstly - if you are only mktemp'ing the filename, the filename will be easy to guess if someone is familiar with what you are doing.

Aside from the fact you are giving a user carte blanche to do what they like (they can put whatever they like in the file) the file is also not owned by root. Perhaps it is better that the sudo happens for the edit as well and the file is owned by root. That way at least you could restrict it more than what you have at the moment.

Which is more likely, someone figuring out an individual user access or root access.

Personally I would allow a certain set of commands using sudoers file rather than the approach you are taking.

Thanks for the reply sweetfa

I'm trying to figure out a more secure solution but do want to achieve a full root logon shell with the single difference of starting in a user-specified directory.

catkin · 11-18-2010, 10:58 AM

I've figured out a secure enough mechanism to have blogged it here. It's a bit kludgy and multiple instances could interfere with each other but the Thunar custom action "Open root terminal here" has been widely sought and I've never seen a solution so it could be useful.