New issue
Advanced search Search tips

Issue 899772 link

Starred by 2 users
Status: Verified
Owner:
mortonm@chromium.org
Closed: Jan 8
Cc:
benchan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug

Blocking:
issue 845640



Sign in to add a comment

run pppd under shill user instead of allowing it to setuid to root

Project Member Reported by mortonm@chromium.org, Oct 29 
The pppd program is written assuming that it will always be run as root. Preliminary attempts at patching the code to get it to run as non-root (with the requisite capabilities) have not been successful. See below for more details.

Make pppd run under its own user/group, separate from that of shill (its parent), and give it CAP_SETUID so it can setuid to root. This will allow us to still restrict the CAP_SETUID-related privileges granted to shill (i.e. can only setuid to approved users, can't create/enter new user namespaces) while allowing pppd to be started in a minijail with CAP_SETUID. The setuid bit on the pppd binary will remain off since it was removed in https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/988224.


Difficulties running pppd as non-root:
Even if we patch pppd to allow starting as non-root with this patch https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1022398 plus adding a patch here https://github.com/paulusmack/ppp/blob/master/pppd/tty.c#L578, we still run into trouble. Testing with a Huawei LTE dongle, will cause shill to invoke the following command:

'/usr/sbin/pppd nodetach nodefaultroute usepeerdns plugin /usr/lib64/shill/shims/shill-pppd-plugin.so ttyUSB0'

Modifying shill to add the 'debug' arg to the pppd invocation allows us to inspect the LCP communications:

pppd running as root:
2018-10-26T10:06:48.237217-07:00 INFO shill[1546]: [INFO:cellular.cc(1058)] Forked pppd process.
2018-10-26T10:06:48.264408-07:00 WARNING pppd[3110]: Warning: plugin /usr/lib64/shill/shims/shill-pppd-plugin.so has no version information
2018-10-26T10:06:48.264475-07:00 INFO pppd[3110]: Plugin /usr/lib64/shill/shims/shill-pppd-plugin.so loaded.
2018-10-26T10:06:48.264622-07:00 INFO pppd[3110]: [INFO:ppp.cc(68)] PPP started.
2018-10-26T10:06:48.265675-07:00 NOTICE pppd[3110]: pppd 2.4.7 started by root, uid 0
2018-10-26T10:06:48.266452-07:00 DEBUG pppd[3110]: using channel 1
2018-10-26T10:06:48.267025-07:00 INFO pppd[3110]: Using interface ppp0
2018-10-26T10:06:48.267233-07:00 NOTICE pppd[3110]: Connect: ppp0 <--> /dev/ttyUSB0
2018-10-26T10:06:48.267335-07:00 INFO pppd[3110]: [INFO:ppp.cc(72)] GetSecret
2018-10-26T10:06:48.269581-07:00 INFO pppd[3110]: [INFO:ppp.cc(157)] Task proxy created: :1.17 - /task/0
2018-10-26T10:06:48.269802-07:00 INFO pppd[3110]: [INFO:task_proxy.cc(34)] GetSecret
2018-10-26T10:06:48.271216-07:00 INFO pppd[3110]: [INFO:ppp.cc(166)] Task proxy destroyed.
2018-10-26T10:06:48.271436-07:00 DEBUG pppd[3110]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe8f5cae2> <pcomp> <accomp>]
2018-10-26T10:06:48.272287-07:00 DEBUG pppd[3110]: rcvd [LCP ConfReq id=0x1 <accomp> <pcomp> <asyncmap 0x0> <mru 1500> <magic 0x545> <auth chap MD5>]
2018-10-26T10:06:48.272472-07:00 DEBUG pppd[3110]: sent [LCP ConfAck id=0x1 <accomp> <pcomp> <asyncmap 0x0> <mru 1500> <magic 0x545> <auth chap MD5>]
2018-10-26T10:06:48.272693-07:00 DEBUG pppd[3110]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xe8f5cae2> <pcomp> <accomp>]
2018-10-26T10:06:48.272906-07:00 INFO pppd[3110]: [INFO:ppp.cc(82)] OnAuthenticateStart
2018-10-26T10:06:48.274306-07:00 INFO pppd[3110]: [INFO:ppp.cc(157)] Task proxy created: :1.17 - /task/0
2018-10-26T10:06:48.274538-07:00 INFO pppd[3110]: [INFO:task_proxy.cc(24)] Notify(authenticating, argcount: 0)
2018-10-26T10:06:48.275782-07:00 INFO pppd[3110]: [INFO:ppp.cc(166)] Task proxy destroyed.
2018-10-26T10:06:48.275989-07:00 DEBUG pppd[3110]: rcvd [CHAP Challenge id=0x1 <a71a5f96e7a76c7940322a72caf6ae6c>, name = "HUAWEI_CHAP_SRVR"]
2018-10-26T10:06:48.276638-07:00 INFO pppd[3110]: [INFO:ppp.cc(72)] GetSecret
2018-10-26T10:06:48.277907-07:00 INFO pppd[3110]: [INFO:ppp.cc(157)] Task proxy created: :1.17 - /task/0
2018-10-26T10:06:48.278105-07:00 INFO pppd[3110]: [INFO:task_proxy.cc(34)] GetSecret
2018-10-26T10:06:48.279324-07:00 INFO pppd[3110]: [INFO:ppp.cc(166)] Task proxy destroyed.
2018-10-26T10:06:48.279952-07:00 DEBUG pppd[3110]: sent [CHAP Response id=0x1 <93455472309494374a05e60c4f491531>, name = ""]
2018-10-26T10:06:48.280741-07:00 DEBUG pppd[3110]: rcvd [CHAP Success id=0x1 "Welcome!!"]
2018-10-26T10:06:48.281320-07:00 INFO pppd[3110]: CHAP authentication succeeded: Welcome!!
2018-10-26T10:06:48.281381-07:00 NOTICE pppd[3110]: CHAP authentication succeeded
2018-10-26T10:06:48.281472-07:00 INFO pppd[3110]: [INFO:ppp.cc(91)] OnAuthenticateDone


pppd running as non-root:
2018-10-26T10:08:44.980174-07:00 INFO shill[1537]: [INFO:cellular.cc(1058)] Forked pppd process.
2018-10-26T10:08:45.005911-07:00 WARNING pppd[3086]: Warning: plugin /usr/lib64/shill/shims/shill-pppd-plugin.so has no version information
2018-10-26T10:08:45.006073-07:00 INFO pppd[3086]: Plugin /usr/lib64/shill/shims/shill-pppd-plugin.so loaded.
2018-10-26T10:08:45.006239-07:00 INFO pppd[3086]: [INFO:ppp.cc(68)] PPP started.
2018-10-26T10:08:45.007321-07:00 NOTICE pppd[3086]: pppd 2.4.7 started by shill, uid 20104
2018-10-26T10:08:45.008344-07:00 DEBUG pppd[3086]: using channel 1
2018-10-26T10:08:45.010422-07:00 INFO pppd[3086]: Using interface ppp0
2018-10-26T10:08:45.010833-07:00 NOTICE pppd[3086]: Connect: ppp0 <--> /dev/ttyUSB0
2018-10-26T10:08:45.011051-07:00 INFO pppd[3086]: [INFO:ppp.cc(72)] GetSecret
2018-10-26T10:08:45.012998-07:00 INFO pppd[3086]: [INFO:ppp.cc(157)] Task proxy created: :1.17 - /task/0
2018-10-26T10:08:45.013196-07:00 INFO pppd[3086]: [INFO:task_proxy.cc(34)] GetSecret
2018-10-26T10:08:45.014821-07:00 INFO pppd[3086]: [INFO:ppp.cc(166)] Task proxy destroyed.
2018-10-26T10:08:45.015065-07:00 DEBUG pppd[3086]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth eap> <magic 0x5971c8ea> <pcomp> <accomp>]
2018-10-26T10:08:45.016221-07:00 DEBUG pppd[3086]: rcvd [LCP ConfReq id=0x1 <accomp> <pcomp> <asyncmap 0x0> <mru 1500> <magic 0x547> <auth chap MD5>]
2018-10-26T10:08:45.016410-07:00 DEBUG pppd[3086]: sent [LCP ConfAck id=0x1 <accomp> <pcomp> <asyncmap 0x0> <mru 1500> <magic 0x547> <auth chap MD5>]
2018-10-26T10:08:45.016533-07:00 DEBUG pppd[3086]: rcvd [LCP ConfNak id=0x1 <auth pap>]
2018-10-26T10:08:45.016613-07:00 DEBUG pppd[3086]: sent [LCP ConfReq id=0x2 <asyncmap 0x0> <auth chap MD5> <magic 0x5971c8ea> <pcomp> <accomp>]
2018-10-26T10:08:45.017520-07:00 DEBUG pppd[3086]: rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <auth chap MD5> <magic 0x5971c8ea> <pcomp> <accomp>]
2018-10-26T10:08:45.017814-07:00 INFO pppd[3086]: [INFO:ppp.cc(82)] OnAuthenticateStart
2018-10-26T10:08:45.019136-07:00 INFO pppd[3086]: [INFO:ppp.cc(157)] Task proxy created: :1.17 - /task/0
2018-10-26T10:08:45.019331-07:00 INFO pppd[3086]: [INFO:task_proxy.cc(24)] Notify(authenticating, argcount: 0)
2018-10-26T10:08:45.020491-07:00 INFO pppd[3086]: [INFO:ppp.cc(166)] Task proxy destroyed.
2018-10-26T10:08:45.020688-07:00 DEBUG pppd[3086]: sent [CHAP Challenge id=0xb9 <71eb254ae4bbc9eff78dc3e5e39bf1572a78fd>, name = "localhost"]
2018-10-26T10:08:45.020817-07:00 DEBUG pppd[3086]: rcvd [CHAP Challenge id=0x1 <d15f1b91769f0a040dac54cd4f083d6a>, name = "HUAWEI_CHAP_SRVR"]
2018-10-26T10:08:45.021470-07:00 INFO pppd[3086]: [INFO:ppp.cc(72)] GetSecret
2018-10-26T10:08:45.022707-07:00 INFO pppd[3086]: [INFO:ppp.cc(157)] Task proxy created: :1.17 - /task/0
2018-10-26T10:08:45.022910-07:00 INFO pppd[3086]: [INFO:task_proxy.cc(34)] GetSecret
2018-10-26T10:08:45.024152-07:00 INFO pppd[3086]: [INFO:ppp.cc(166)] Task proxy destroyed.
2018-10-26T10:08:45.024801-07:00 DEBUG pppd[3086]: sent [CHAP Response id=0x1 <432ceb4d7e090b5cf3819862ba54632b>, name = ""]
2018-10-26T10:08:45.024965-07:00 DEBUG pppd[3086]: rcvd [CHAP Response id=0xb9 <00000000000000000000000000000000>, name = "HUAWEI_CHAP_CLNT"]
2018-10-26T10:08:45.026628-07:00 WARNING pppd[3086]: Warning - secret file /etc/ppp/chap-secrets has world and/or group access
2018-10-26T10:08:45.028324-07:00 ERR pppd[3086]: No CHAP secret found for authenticating HUAWEI_CHAP_CLNT
2018-10-26T10:08:45.028402-07:00 WARNING pppd[3086]: Peer HUAWEI_CHAP_CLNT failed CHAP authentication
2018-10-26T10:08:45.028474-07:00 DEBUG pppd[3086]: sent [CHAP Failure id=0xb9 ""]
2018-10-26T10:08:45.028710-07:00 DEBUG pppd[3086]: sent [LCP TermReq id=0x3 "Authentication failed"]
2018-10-26T10:08:45.029487-07:00 DEBUG pppd[3086]: rcvd [LCP TermReq id=0x2]
2018-10-26T10:08:45.029675-07:00 DEBUG pppd[3086]: sent [LCP TermAck id=0x2]
2018-10-26T10:08:45.029813-07:00 DEBUG pppd[3086]: rcvd [LCP TermAck id=0x3]
2018-10-26T10:08:45.029970-07:00 INFO pppd[3086]: [INFO:ppp.cc(133)] OnDisconnect
2018-10-26T10:08:45.031787-07:00 INFO pppd[3086]: [INFO:ppp.cc(157)] Task proxy created: :1.17 - /task/0
2018-10-26T10:08:45.032080-07:00 INFO pppd[3086]: [INFO:task_proxy.cc(24)] Notify(disconnect, argcount: 0)
2018-10-26T10:08:45.032769-07:00 INFO shill[1537]: [INFO:manager.cc(1485)] Service 38 updated; state: Failure failure ppp-auth-failed
2018-10-26T10:08:45.035491-07:00 INFO pppd[3086]: [INFO:ppp.cc(166)] Task proxy destroyed.
2018-10-26T10:08:45.035511-07:00 NOTICE pppd[3086]: Connection terminated.


When running as non-root, it looks like things start to diverge around the time pppd receives "[LCP ConfNak id=0x1 <auth pap>]" from the server.

Comment 1 by mortonm@chromium.org, Oct 29

Blocking: 845640

Comment 2 by mortonm@chromium.org, Dec 13

Summary: run pppd under shill user instead of allowing it to setuid to root (was: run pppd as its own user that is allowed to setuid to root)
Project Member

Comment 3 by bugdroid1@chromium.org, Jan 3 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/d2d369ff5f7c459eb890bca056e39775aef024ee

commit d2d369ff5f7c459eb890bca056e39775aef024ee
Author: Micah Morton <mortonm@chromium.org>
Date: Thu Jan 03 02:14:08 2019

pppd: run (and stay running) as shill user instead of root

For shill to run pppd as shill:shill instead of root:root, the files
that get installed to /etc/ppp need to be accessible. Also, the first
time around getting pppd to run as non-root we failed to realize that
pppd would eventually regain root privileges through a seteuid call
after opening the serial device. This CL also adds a patch so pppd stops
doing that and will stay running as the shill user.

BUG= chromium:899772 
TEST=emerge-$BOARD ppp and look at /build/$BOARD/etc/ppp. also manual
testing with LTE dongle to see that connectivity works when running
under shill user.

Change-Id: I35bfab52494bd3096af863dd6935d113fe3daa19
Reviewed-on: https://chromium-review.googlesource.com/1376429
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>

[add] https://crrev.com/d2d369ff5f7c459eb890bca056e39775aef024ee/net-dialup/ppp/files/ppp-2.4.7-no-regain-root.patch
[rename] https://crrev.com/d2d369ff5f7c459eb890bca056e39775aef024ee/net-dialup/ppp/ppp-2.4.7-r7.ebuild
Project Member

Comment 4 by bugdroid1@chromium.org, Jan 8 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/7de67c52ea7a2815124a2b0f025031709615689a

commit 7de67c52ea7a2815124a2b0f025031709615689a
Author: Micah Morton <mortonm@chromium.org>
Date: Tue Jan 08 09:59:14 2019

shill: drop setuid-to-root whitelist entry

pppd doesn't need to be able to setuid to root once CL:1376429 lands, so
take away this whitelist entry.

CQ-DEPEND=CL:1376429
BUG= chromium:899772 
TEST=manual testing with LTE dongle

Change-Id: I6faaf486930e1fae78f6a1b399cd4abb09543b81
Reviewed-on: https://chromium-review.googlesource.com/1382641
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>

[modify] https://crrev.com/7de67c52ea7a2815124a2b0f025031709615689a/shill/setuid_restrictions/shill_whitelist.txt

Comment 5 by mortonm@chromium.org, Jan 8

Status: Fixed (was: Untriaged)
Marking this as fixed for now. Will do some manual verification with an LTE dongle.

Comment 6 by mortonm@chromium.org, Jan 8

Status: Verified (was: Fixed)
I verified lulu board running 11546.0.0 could connect to cellular network with the Huawei LTE dongle
Project Member

Comment 7 by bugdroid1@chromium.org, Jan 10 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/bc5833d6280b0c9a4699bd98cb5193bdb333df90

commit bc5833d6280b0c9a4699bd98cb5193bdb333df90
Author: Micah Morton <mortonm@chromium.org>
Date: Thu Jan 10 12:49:53 2019

security_ProcessManagementPolicy: take away shill -> root

As of CL:1382641, shill should no longer be able to setuid to root.

BUG= chromium:899772 
TEST=ran test on latest image without 'root' entry

Change-Id: I7a7f3958aa21e93bec45ee6f14909ba30c6cbe6e
Reviewed-on: https://chromium-review.googlesource.com/1403106
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Allen Webb <allenwebb@google.com>

[modify] https://crrev.com/bc5833d6280b0c9a4699bd98cb5193bdb333df90/client/site_tests/security_ProcessManagementPolicy/security_ProcessManagementPolicy.py

Sign in to add a comment