duplicity-team team mailing list archive

[Kenneth Loafman <kenneth@xxxxxxxxxxx>]

If I understand this correctly, then new files will be created by
'duplicity', but older files owned by root will not be deletable.
Correct?  I'm thinking a one-time 'chown -R duplicity: ~/cache/duplicity/*'
would fix that problem.


On Sun, Apr 26, 2015 at 7:31 PM, James Wilson <jmw@xxxxxxxxxxxx> wrote:

> James Wilson has proposed merging lp:~jmwilson/duplicity/capabilities into
> lp:duplicity.
>
> Requested reviews:
>   duplicity-team (duplicity-team)
>
> For more details, see:
> https://code.launchpad.net/~jmwilson/duplicity/capabilities/+merge/257488
>
> Proposal is to add an unprivileged "duplicity" user during installation
> that is used to limit the capabilities when duplicity is run as root. To
> manage capabilities, I'm using the python bindings for libcap-ng (which
> needs its own updating since at least the current vivid package is empty
> for some reason, but is correct when built from source).
>
> I've been interested in using duplicity for system-wide backups, but one
> thing that is troubling is that it must be run as root. As an interpreted
> program that communicates on the network, this exposes the host to possible
> bugs in python or any other packages imported in duplicity.
>
> First, examining the code in bin/duplicity:
>     # if python is run setuid, it's only partway set,
>     # so make sure to run with euid/egid of root
>     if os.geteuid() == 0:
>         # make sure uid/gid match euid/egid
>         os.setuid(os.geteuid())
>         os.setgid(os.getegid())
>
> I'm not sure what this is for; if you're root (i.e., os.geteuid() == 0)
> then there's no need to switch the real uid. When the machination of
> "setuid(geteuid())" is used it is typically when the ruid=0 and we want to
> irrevocably drop privileges to a euid!=0 normal user. That's not the case
> here, so this doesn't help or harm us.
>
> Then there's the issue of running duplicity as root. Since it's an
> interpreted program, the normal ways of expanding privileges (SUID
> executable or setcap on the script) are unavailable, and the other options
> are to run it as root, or put SUID or file capabilities on the python
> interpreter.
>
> The only reason to run duplicity as root is get read access to the whole
> file system. We can safely drop all capabilities other than
> CAP_DAC_READ_SEARCH. Since we're still root, we'll get all capabilities
> back if we do execve, so we could also change the bounding set or lock the
> securebits to prevent the kernel from re-granting privileges on execve.
> Nonetheless, we're still root, and lots of important files are owned by and
> writable to root, so the best choice is to change uid to an unprivileged
> user who maintains only the ability to read the whole file system.
>
> It's hard to test the change directly, since it doesn't change the output
> or actions of duplicity. The following python script mimics what the code
> does and demonstrates the reduction of capabilities:
>
> #!/usr/bin/env python
>
> from __future__ import print_function
> from capng import *
> import fcntl
> import os
> import pwd
> import signal
> import sys
>
> if os.geteuid() != 0:
>     sys.exit()
>
> user = pwd.getpwnam("nobody")
> capng_clear(CAPNG_SELECT_CAPS)
> capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
> CAP_DAC_READ_SEARCH)
> capng_change_id(user.pw_uid, user.pw_gid, CAPNG_DROP_SUPP_GRP)
>
> print("getuid = {}, geteuid = {}".format(os.getuid(), os.geteuid()))
> print("After dropping capabilities:")
> capng_get_caps_process()
> capng_print_caps_numeric(CAPNG_PRINT_STDOUT, CAPNG_SELECT_BOTH)
> print()
>
> pread, pwrite = os.pipe()
> pid = os.fork()
> if pid == 0:
>     os.close(pread)
>     fcntl.fcntl(pwrite, fcntl.F_SETFD, fcntl.FD_CLOEXEC)
>     os.execl('/usr/bin/tail', '-f', '/dev/null')
> else:
>     os.close(pwrite)
>     os.read(pread, 1)
>     capng_setpid(pid)
>     capng_get_caps_process()
>     print("getuid = {}, geteuid = {}".format(os.getuid(), os.geteuid()))
>     print("Capabilities after execve:")
>     caps = capng_print_caps_numeric(CAPNG_PRINT_STDOUT, CAPNG_SELECT_BOTH)
>     os.kill(pid, signal.SIGTERM)
>
> which when run as root (sudo python script.py) should produce this output:
> getuid = 65534, geteuid = 65534
> After dropping capabilities:
> Effective:    00000000, 00000004
> Permitted:    00000000, 00000004
> Inheritable:  00000000, 00000000
> Bounding Set: 0000003F, FFFFFFFF
>
> getuid = 65534, geteuid = 65534
> Capabilities after execve:
> Effective:    00000000, 00000000
> Permitted:    00000000, 00000000
> Inheritable:  00000000, 00000000
> Bounding Set: 0000003F, FFFFFFFF
>
> --
> Your team duplicity-team is requested to review the proposed merge of
> lp:~jmwilson/duplicity/capabilities into lp:duplicity.
>
> === modified file 'README'
> --- README      2014-10-18 19:44:29 +0000
> +++ README      2015-04-27 00:30:33 +0000
> @@ -23,6 +23,7 @@
>   * librsync v0.9.6 or later
>   * GnuPG v1.x for encryption
>   * python-lockfile for concurrency locking
> + * python-capng for managing capabilities when run as root
>   * for scp/sftp -- python-paramiko and python-pycryptopp
>   * for ftp -- lftp version 3.7.15 or later
>   * Boto 2.0 or later for single-processing S3 or GCS access (default)
>
> === modified file 'bin/duplicity'
> --- bin/duplicity       2015-03-09 18:50:58 +0000
> +++ bin/duplicity       2015-04-27 00:30:33 +0000
> @@ -38,6 +38,8 @@
>  import resource
>  import re
>  import threading
> +import capng
> +import pwd
>  from datetime import datetime
>  from lockfile import FileLock
>
> @@ -1340,12 +1342,18 @@
>  See https://bugs.launchpad.net/duplicity/+bug/931175
>  """), log.ErrorCode.pythonoptimize_set)
>
> -    # if python is run setuid, it's only partway set,
> -    # so make sure to run with euid/egid of root
> +    # if python is running as root, then drop all capabilities except
> +    # unrestricted read access and then change user to prevent regaining
> +    # capabilities via execve.
>      if os.geteuid() == 0:
> -        # make sure uid/gid match euid/egid
> -        os.setuid(os.geteuid())
> -        os.setgid(os.getegid())
> +        user = pwd.getpwnam("duplicity")
> +        capng.capng_clear(capng.CAPNG_SELECT_CAPS)
> +        if (capng.capng_update(capng.CAPNG_ADD,
> +                              capng.CAPNG_EFFECTIVE |
> capng.CAPNG_PERMITTED,
> +                              capng.CAP_DAC_READ_SEARCH)
> +            or capng.capng_change_id(user.pw_uid, user.pw_gid,
> +                                     capng.CAPNG_DROP_SUPP_GRP)):
> +            log.FatalError("Unable to drop root privileges.")
>
>      # set the current time strings (make it available for command line
> processing)
>      dup_time.setcurtime()
>
> === modified file 'debian/control'
> --- debian/control      2014-10-27 14:15:52 +0000
> +++ debian/control      2015-04-27 00:30:33 +0000
> @@ -27,6 +27,7 @@
>           gnupg,
>           python-lockfile,
>           python-pexpect,
> +         python-capng,
>  Suggests: ncftp,
>            python-boto,
>            python-paramiko,
>
> === added file 'debian/duplicity.postinst'
> --- debian/duplicity.postinst   1970-01-01 00:00:00 +0000
> +++ debian/duplicity.postinst   2015-04-27 00:30:33 +0000
> @@ -0,0 +1,7 @@
> +#!/bin/sh -e
> +
> +if [ "$1" = "configure" ]; then
> +  if ! getent passwd duplicity >/dev/null; then
> +    adduser --quiet --system --no-create-home --home /nonexistant --shell
> /usr/sbin/nologin duplicity
> +  fi
> +fi
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~duplicity-team
> Post to     : duplicity-team@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~duplicity-team
> More help   : https://help.launchpad.net/ListHelp
>
>

-- 
https://code.launchpad.net/~jmwilson/duplicity/capabilities/+merge/257488
Your team duplicity-team is requested to review the proposed merge of lp:~jmwilson/duplicity/capabilities into lp:duplicity.