maemo.org - Talk - Announcing INCEPTION: Deeper access to your N9 [0.1.1]

maemo.org - Talk (https://talk.maemo.org/index.php)

- MeeGo / Harmattan (https://talk.maemo.org/forumdisplay.php?f=45)

- - Announcing INCEPTION: Deeper access to your N9 [0.1.1] (https://talk.maemo.org/showthread.php?t=82835)

Re: Announcing INCEPTION: Deeper access to your N9

it's standart lunux sudo. google, if never worked on linux before.

Re: Announcing INCEPTION: Deeper access to your N9

Quote:

Originally Posted by coderus (Post 1181116)

it's standart lunux sudo. google, if never worked on linux before.

Can I install it with opensh already installed?

Re: Announcing INCEPTION: Deeper access to your N9

Quote:

Originally Posted by Arie (Post 1181209)

Can I install it with opensh already installed?

Yeah.

Note that coderus' sudo is probably not Aegis-aware, so you won't be able to do certain things that you can with opensh, such as run aegisctl. (not sure - correct me if I'm wrong)

Re: Announcing INCEPTION: Deeper access to your N9

Thanks itsnotabigtruck for you Inception project. It made possible to :
- use Easy Debian without flashing open kernel;
- use chroot images with programming languages/tools (gcc/g++, etc);
- run binaries created by gcc/g++ running on Nokia N9.

Re: Announcing INCEPTION: Deeper access to your N9

itsnotabigtruck, of course, it's like just su (devel-su), no extra hacky privileges =)
i made this for making me happy =) everytime using pc i'm using sudo, and when switching to phone ssh i want to use sudo too. devel-su too complicated to type :D
just usinng it for sudo apt-get, sudo dpkg, sudo nano, sudo mc and so on in daily usage =)

but of course, i can inject checking for opensh installing and make sudo work thru opensh or just sh.

Re: Announcing INCEPTION: Deeper access to your N9

So has it brought any Developer any use yet and what?

Re: Announcing INCEPTION: Deeper access to your N9

Muzimak, of course, look into chroot thread.

Re: Announcing INCEPTION: Deeper access to your N9

Quote:

Originally Posted by rcolistete (Post 1181222)

Sounds like Gentoo Prefix is now possible :)

Re: Announcing INCEPTION: Deeper access to your N9

I've noticed a couple of oddities when running an incepted opensh.

First of all, I am unable to run a simple shell script under opensh:

Code:



BusyBox v1.20.0.git (MeeGo 3:1.20-0.1+0m7) built-in shell (ash)

Enter 'help' for a list of built-in commands.



/home/developer $ cat hello.sh

#!/bin/sh



echo Hello world!

/home/developer $ ls -l hello.sh

-rwxr-xr-x    1 user     users           29 Mar 25 02:43 hello.sh

/home/developer $ ./hello.sh

Hello world!

/home/developer $ devel-su -

Password: 





BusyBox v1.20.0.git (MeeGo 3:1.20-0.1+0m7) built-in shell (ash)

Enter 'help' for a list of built-in commands.



mesg: Operation not permitted

RM680-02-6_PR_RM680:~# cd ~developer

RM680-02-6_PR_RM680:/home/developer# accli -I | grep -v IMEI

Current mode: normal

Credentials:

        UID::root

        GID::root

        GRP::root

        GRP::adm

        GRP::dialout

        GRP::pulse-access

RM680-02-6_PR_RM680:/home/developer# ./hello.sh

Hello world!

RM680-02-6_PR_RM680:/home/developer# develsh





BusyBox v1.20.0.git (MeeGo 3:1.20-0.1+0m7) built-in shell (ash)

Enter 'help' for a list of built-in commands.



RM680-02-6_PR_RM680:/home/developer# accli -I | grep -v IMEI

Current mode: normal

Credentials:

        UID::root

        GID::root

        CAP::chown

        CAP::dac_read_search

        CAP::fowner

        CAP::fsetid

        CAP::kill

        CAP::linux_immutable

        CAP::net_bind_service

        CAP::net_broadcast

        CAP::net_admin

        CAP::net_raw

        CAP::ipc_lock

        CAP::ipc_owner

        CAP::sys_chroot

        CAP::sys_ptrace

        CAP::sys_pacct

        CAP::sys_boot

        CAP::sys_nice

        CAP::sys_resource

        CAP::sys_time

        CAP::sys_tty_config

        CAP::lease

        CAP::audit_write

        CAP::audit_control

        CAP::setfcap

        GRP::root

        GRP::dialout

        GRP::video

        GRP::pulse-access

        GRP::users

        GRP::metadata-users

        GRP::calendar

        AID::.develsh.

        tracker::tracker-extract-access

        tracker::tracker-miner-fs-access

        libaccounts-noa::accesssvt

        package-manager::packagemanager_limited

        package-manager::packagemanager_private

        icd2::icd2-plugin

        Cellular

        TrackerReadAccess

        TrackerWriteAccess

        Location

        FacebookSocial

        develsh::develsh

RM680-02-6_PR_RM680:/home/developer# ./hello.sh

Hello world!

RM680-02-6_PR_RM680:/home/developer# exit

RM680-02-6_PR_RM680:/home/developer# opensh





BusyBox v1.20.0.git (MeeGo 3:1.20-0.1+0m7) built-in shell (ash)

Enter 'help' for a list of built-in commands.



RM680-02-6_PR_RM680:/home/developer# accli -I | grep -v IMEI

Current mode: normal

Credentials:

        UID::root

        GID::root

        CAP::chown

        CAP::dac_override

        CAP::dac_read_search

        CAP::fowner

        CAP::fsetid

        CAP::kill

        CAP::setgid

        CAP::setuid

        CAP::linux_immutable

        CAP::net_bind_service

        CAP::net_broadcast

        CAP::net_admin

        CAP::net_raw

        CAP::ipc_lock

        CAP::ipc_owner

        CAP::sys_module

        CAP::sys_rawio

        CAP::sys_chroot

        CAP::sys_ptrace

        CAP::sys_pacct

        CAP::sys_admin

        CAP::sys_boot

        CAP::sys_nice

        CAP::sys_resource

        CAP::sys_time

        CAP::sys_tty_config

        CAP::mknod

        CAP::lease

        CAP::audit_write

        CAP::audit_control

        CAP::setfcap

        CAP::mac_override

        CAP::mac_admin

        GRP::root

        GRP::daemon

        GRP::bin

        GRP::sys

        GRP::adm

        GRP::tty

        GRP::disk

        GRP::lp

        GRP::mail

        GRP::news

        GRP::uucp

        GRP::man

        GRP::proxy

        GRP::kmem

        GRP::dialout

        GRP::fax

        GRP::voice

        GRP::cdrom

        GRP::floppy

        GRP::tape

        GRP::sudo

        GRP::audio

        GRP::dip

        GRP::www-data

        GRP::backup

        GRP::operator

        GRP::list

        GRP::irc

        GRP::src

        GRP::gnats

        GRP::shadow

        GRP::utmp

        GRP::video

        GRP::sasl

        GRP::plugdev

        GRP::staff

        GRP::games

        GRP::libuuid

        GRP::pulse

        GRP::pulse-access

        GRP::pulse-rt

        GRP::cal

        GRP::users

        GRP::input

        GRP::i2c

        GRP::adc

        GRP::upstart

        GRP::crypto

        GRP::metadata-users

        GRP::phonet

        GRP::csd

        GRP::messagebus

        GRP::acm

        GRP::gallerycoredata-users

        GRP::signon

        GRP::osa

        GRP::calendar

        GRP::libaccounts-noa

        GRP::lpm

        GRP::visualreminder

        GRP::location

        GRP::nfc

        GRP::slpgwd

        GRP::haldaemon

        GRP::powerdev

        GRP::developer

        GRP::ssh

        GRP::spool

        GRP::nogroup

        tcb

        libbb5-secbins::SEE_CCCWrite

        libbb5-secbins::SEE_DBIWrite

        libbb5-secbins::SEE_HWCWrite

        libbb5-secbins::SEE_NPCWrite

        libbb5-secbins::SEE_SecStorageMaintenance

        libbb5-secbins::SEE_SuperDongleWrite

        libbb5-secbins::SEE_SuperDongleOperation

        libbb5-secbins::SEE_SimLock3Write

        libbb5-secbins::SEE_SimLock3Operation

        libbb5-secbins::SEE_TerminalResponce

        libbb5-secbins::SEE_DeviceLockControl

        aegis-enabler::tcb-sign

        tracker::tracker-extract-access

        tracker::tracker-miner-fs-access

        libaccounts-noa::accesssvt

        package-manager::packagemanager_limited

        package-manager::packagemanager_private

        icd2::icd2-plugin

        Cellular

        TrackerReadAccess

        TrackerWriteAccess

        Location

        FacebookSocial

        csd-base::csd-plugin

        mce::CallStateControl

        mce::DeviceModeControl

        mce::LEDControl

        mce::TKLockControl

        mce::SensorControl

        dsme::DeviceStateControl

        usb-moded::usb-moded-dbus-bind

        usb-moded::USBControl

        aegisfs::AegisFSMountAdd

        aegisfs::aegisfs-verify

        timed::TimeControl

        timed::TimeBackup

        timed::TimedEventQueueWrite

        bme::BatteryControl

        phonet-at::acm-plugin

        applauncherd-launcher::access

        libaccounts-glib0::accounts-glib-access

        libaccounts-glib0::t

        libaccounts-glib0::tok

        smartsearch::RelevanceAllContentTypes

        signond::keychain-access

        signond::ssoProtectedWriteAccess

        signond::ssoProtectedReadAccess

        account-plugin-ovi::noaaccess

        account-plugin-ovi::sso-encryption-token

        caldav-plugin::access

        account-plugin-caldav::sso-encryption-token

        account-plugin-caldav::caldav-access

        account-plugin-facebook::sso-encryption-token

        account-plugin-facebook::access-control

        account-plugin-flickr::flickr-access

        account-plugin-google::sso-encryption-token

        account-plugin-google::access-control

        account-plugin-sip::sso-encryption-token

        account-plugin-sip::access-control

        account-plugin-twitter::sso-encryption-token

        account-plugin-twitter::access-control

        account-plugin-youtube::sso-encryption-token

        account-plugin-youtube::access-control

        aegis-certman-common-ca::CertCACommonAdd

        aegis-certman-common-ca::CertCAGlobalCodeSignAdd

        aegis-certman-common-ca::CertCASSLAdd

        aegis-certman-common-ca::CertCAWifiAdd

        aegis-certman-common-ca::CertCASMIMEAdd

        aegis-certman-common-ca::CertCACodeSignAdd

        aegis-certman-common-ca::CertUserSSLUse

        aegis-certman-common-ca::CertUserWifiUse

        aegis-certman-common-ca::CertUserSMIMEUse

        aegis-certman-common-ca::CertCACodeSignUse

        devicelock::ProvisioningSettings_PasswordForceChange

        devicelock::ProvisioningSettings_MinimalDeviceWipeTypeRequired

        devicelock::ProvisioningSettings_RnD_additional_Debug

        devicelock::DeviceLock_SetPassword

        devicelock::DeviceLockServiceOwn

        devicelock::DeviceLockStorageAccess

        devicelock::State_Unlocked

        devicelock::State_Locked

        devicelock::State_WipeMMC

        devicelock::State_Inhibit

        devicelock::DeviceLockControl

        devicelock::SSO_Exchange

        backup-framework::backup

        libaegis-session::aegis-session-data

        clean-device::CUDOrRFS

        system-ui-screenlock-nokia::ScreenLockEventPublish

        call-ui::call-ui

        duicontrolpanel-certificatesapplet::encryptedDBusMessages

        facebookqml::facebook-token

        mfe-account-ui-plugins::mfe-access

        mfe-account-ui-plugins::sso-encryption-token

        mms-manager::MmsProtectedWriteAccess

        mms-manager::MmsProtectedReadAccess

        mms-manager::MmsWorkerAccess

        libodnp::odnp

        libslpgw::slpgw

        location-ui::location-ui

        messaging-ui::messaging-ui

        ope-service0::OpeWapUtilAccess

        positioningd::LocationControl

        odnp-fpcd::odnp-fpcd

        signon-default-key-extension::key-storage

        signon-ui::signond-access

        telepathy-sasl-signon::sso-encryption-token

        telepathy-spirit::telepathy-spirit

        grob::grob-access

        grob::sso-encryption-token

        groovem-account-ui-plugins::groovem-access

        groovem-account-ui-plugins::sso-encryption-token

        nfcd::ui-agent

        nfcd::tool

        omb0::omb-communication

        npe-maemo0::LocationFW

        opensh::opensh

        SRC::com.nokia.maemo/local

        AID::com.nokia.maemo/local.opensh.

        account-plugin-skype::skype-access

        account-plugin-skype::sso-encryption-token

RM680-02-6_PR_RM680:/home/developer# ./hello.sh

sh: ./hello.sh: Operation not permitted

As you can see, it works fine as a regular user, as regular root user and also under a develsh shell but not under an opensh shell.

The following was written to dmesg. I hope someone can make more sense of this then I can.

Code:

[68900.679321] credp: sh: credential 0::1 not present in source SRC::9990005

[68900.679382] credp: sh: credential 0::6 not present in source SRC::9990005

[68900.679412] credp: sh: credential 0::7 not present in source SRC::9990005

[68900.679443] credp: sh: credential 0::16 not present in source SRC::9990005

[68900.679504] credp: sh: credential 0::17 not present in source SRC::9990005

[68900.679534] credp: sh: credential 0::21 not present in source SRC::9990005

[68900.679565] credp: sh: credential 0::27 not present in source SRC::9990005

[68900.679595] credp: sh: credential 0::32 not present in source SRC::9990005

[68900.679626] credp: sh: credential 0::33 not present in source SRC::9990005

[68900.679656] credp: sh: credential 3::9990209 not present in source SRC::9990005

[68900.679687] credp: sh: credential 3::9990210 not present in source SRC::9990005

[68900.679718] credp: sh: credential 3::9990211 not present in source SRC::9990005

[68900.679748] credp: sh: credential 3::9990212 not present in source SRC::9990005

[68900.679809] credp: sh: credential 3::9990213 not present in source SRC::9990005

[68900.679840] credp: sh: credential 3::9990214 not present in source SRC::9990005

[68900.679870] credp: sh: credential 3::9990215 not present in source SRC::9990005

[68900.679901] credp: sh: credential 3::9990216 not present in source SRC::9990005

[68900.679931] credp: sh: credential 3::9990217 not present in source SRC::9990005

[68900.679962] credp: sh: credential 3::9990218 not present in source SRC::9990005

[68900.679992] credp: sh: credential 3::9990219 not present in source SRC::9990005

[68900.680023] credp: sh: credential 3::9990223 not present in source SRC::9990005

[68900.680084] credp: sh: credential 3::9990001 not present in source SRC::9990005

[68900.680114] credp: sh: credential 3::9990248 not present in source SRC::9990005

[68900.680145] credp: sh: credential 3::9990283 not present in source SRC::9990005

[68900.680175] credp: sh: credential 3::9990445 not present in source SRC::9990005

[68900.680206] Aegis: credp_kcheck failed 9990005 hello.sh

[68900.680236] Aegis: hello.sh verification failed (source origin check)

[68900.696838] init: bme main process (5707) killed by KILL signal

[68900.698242] init: bme main process ended, respawning

It does run fine under opensh if I disable Aegis with "aegistl -s" as you might expect. I would be interested to know if anyone else is experiencing this behaviour either when using opensh via Inception or an open-mode kernel.

Re: Announcing INCEPTION: Deeper access to your N9

The second thing I discovered was that it is actually possible to run an incepted opensh shell as a regular user and gain full root privileges without needing to supply a root password!

Code:

~ $ /usr/sbin/aegisctl

+esdrtxk,-az

~ $ accli -I | grep -v IMEI

Current mode: normal

Credentials:

        UID::user

        GID::users

        GRP::adm

        GRP::dialout

        GRP::pulse-access

        GRP::users

~ $ opensh





BusyBox v1.20.0.git (MeeGo 3:1.20-0.1+0m7) built-in shell (ash)

Enter 'help' for a list of built-in commands.



/home/user # id -un

root

/home/user # id -unr

root

/home/user # accli -I | grep -v IMEI

Current mode: normal

Credentials:

        UID::root

        GID::root

        CAP::chown

        CAP::dac_override

        CAP::dac_read_search

        CAP::fowner

        CAP::fsetid

        CAP::kill

        CAP::setgid

        CAP::setuid

        CAP::linux_immutable

        CAP::net_bind_service

        CAP::net_broadcast

        CAP::net_admin

        CAP::net_raw

        CAP::ipc_lock

        CAP::ipc_owner

        CAP::sys_module

        CAP::sys_rawio

        CAP::sys_chroot

        CAP::sys_ptrace

        CAP::sys_pacct

        CAP::sys_admin

        CAP::sys_boot

        CAP::sys_nice

        CAP::sys_resource

        CAP::sys_time

        CAP::sys_tty_config

        CAP::mknod

        CAP::lease

        CAP::audit_write

        CAP::audit_control

        CAP::setfcap

        CAP::mac_override

        CAP::mac_admin

        GRP::root

        GRP::daemon

        GRP::bin

        GRP::sys

        GRP::adm

        GRP::tty

        GRP::disk

        GRP::lp

        GRP::mail

        GRP::news

        GRP::uucp

        GRP::man

        GRP::proxy

        GRP::kmem

        GRP::dialout

        GRP::fax

        GRP::voice

        GRP::cdrom

        GRP::floppy

        GRP::tape

        GRP::sudo

        GRP::audio

        GRP::dip

        GRP::www-data

        GRP::backup

        GRP::operator

        GRP::list

        GRP::irc

        GRP::src

        GRP::gnats

        GRP::shadow

        GRP::utmp

        GRP::video

        GRP::sasl

        GRP::plugdev

        GRP::staff

        GRP::games

        GRP::libuuid

        GRP::pulse

        GRP::pulse-access

        GRP::pulse-rt

        GRP::cal

        GRP::users

        GRP::input

        GRP::i2c

        GRP::adc

        GRP::upstart

        GRP::crypto

        GRP::metadata-users

        GRP::phonet

        GRP::csd

        GRP::messagebus

        GRP::acm

        GRP::gallerycoredata-users

        GRP::signon

        GRP::osa

        GRP::calendar

        GRP::libaccounts-noa

        GRP::lpm

        GRP::visualreminder

        GRP::location

        GRP::nfc

        GRP::slpgwd

        GRP::haldaemon

        GRP::powerdev

        GRP::developer

        GRP::ssh

        GRP::spool

        GRP::nogroup

        tcb

        libbb5-secbins::SEE_CCCWrite

        libbb5-secbins::SEE_DBIWrite

        libbb5-secbins::SEE_HWCWrite

        libbb5-secbins::SEE_NPCWrite

        libbb5-secbins::SEE_SecStorageMaintenance

        libbb5-secbins::SEE_SuperDongleWrite

        libbb5-secbins::SEE_SuperDongleOperation

        libbb5-secbins::SEE_SimLock3Write

        libbb5-secbins::SEE_SimLock3Operation

        libbb5-secbins::SEE_TerminalResponce

        libbb5-secbins::SEE_DeviceLockControl

        aegis-enabler::tcb-sign

        tracker::tracker-extract-access

        tracker::tracker-miner-fs-access

        libaccounts-noa::accesssvt

        package-manager::packagemanager_limited

        package-manager::packagemanager_private

        icd2::icd2-plugin

        Cellular

        TrackerReadAccess

        TrackerWriteAccess

        Location

        FacebookSocial

        csd-base::csd-plugin

        mce::CallStateControl

        mce::DeviceModeControl

        mce::LEDControl

        mce::TKLockControl

        mce::SensorControl

        dsme::DeviceStateControl

        usb-moded::usb-moded-dbus-bind

        usb-moded::USBControl

        aegisfs::AegisFSMountAdd

        aegisfs::aegisfs-verify

        timed::TimeControl

        timed::TimeBackup

        timed::TimedEventQueueWrite

        bme::BatteryControl

        phonet-at::acm-plugin

        applauncherd-launcher::access

        libaccounts-glib0::accounts-glib-access

        libaccounts-glib0::t

        libaccounts-glib0::tok

        smartsearch::RelevanceAllContentTypes

        signond::keychain-access

        signond::ssoProtectedWriteAccess

        signond::ssoProtectedReadAccess

        account-plugin-ovi::noaaccess

        account-plugin-ovi::sso-encryption-token

        caldav-plugin::access

        account-plugin-caldav::sso-encryption-token

        account-plugin-caldav::caldav-access

        account-plugin-facebook::sso-encryption-token

        account-plugin-facebook::access-control

        account-plugin-flickr::flickr-access

        account-plugin-google::sso-encryption-token

        account-plugin-google::access-control

        account-plugin-sip::sso-encryption-token

        account-plugin-sip::access-control

        account-plugin-twitter::sso-encryption-token

        account-plugin-twitter::access-control

        account-plugin-youtube::sso-encryption-token

        account-plugin-youtube::access-control

        aegis-certman-common-ca::CertCACommonAdd

        aegis-certman-common-ca::CertCAGlobalCodeSignAdd

        aegis-certman-common-ca::CertCASSLAdd

        aegis-certman-common-ca::CertCAWifiAdd

        aegis-certman-common-ca::CertCASMIMEAdd

        aegis-certman-common-ca::CertCACodeSignAdd

        aegis-certman-common-ca::CertUserSSLUse

        aegis-certman-common-ca::CertUserWifiUse

        aegis-certman-common-ca::CertUserSMIMEUse

        aegis-certman-common-ca::CertCACodeSignUse

        devicelock::ProvisioningSettings_PasswordForceChange

        devicelock::ProvisioningSettings_MinimalDeviceWipeTypeRequired

        devicelock::ProvisioningSettings_RnD_additional_Debug

        devicelock::DeviceLock_SetPassword

        devicelock::DeviceLockServiceOwn

        devicelock::DeviceLockStorageAccess

        devicelock::State_Unlocked

        devicelock::State_Locked

        devicelock::State_WipeMMC

        devicelock::State_Inhibit

        devicelock::DeviceLockControl

        devicelock::SSO_Exchange

        backup-framework::backup

        libaegis-session::aegis-session-data

        clean-device::CUDOrRFS

        system-ui-screenlock-nokia::ScreenLockEventPublish

        call-ui::call-ui

        duicontrolpanel-certificatesapplet::encryptedDBusMessages

        facebookqml::facebook-token

        mfe-account-ui-plugins::mfe-access

        mfe-account-ui-plugins::sso-encryption-token

        mms-manager::MmsProtectedWriteAccess

        mms-manager::MmsProtectedReadAccess

        mms-manager::MmsWorkerAccess

        libodnp::odnp

        libslpgw::slpgw

        location-ui::location-ui

        messaging-ui::messaging-ui

        ope-service0::OpeWapUtilAccess

        positioningd::LocationControl

        odnp-fpcd::odnp-fpcd

        signon-default-key-extension::key-storage

        signon-ui::signond-access

        telepathy-sasl-signon::sso-encryption-token

        telepathy-spirit::telepathy-spirit

        grob::grob-access

        grob::sso-encryption-token

        groovem-account-ui-plugins::groovem-access

        groovem-account-ui-plugins::sso-encryption-token

        nfcd::ui-agent

        nfcd::tool

        omb0::omb-communication

        npe-maemo0::LocationFW

        opensh::opensh

        SRC::com.nokia.maemo/local

        AID::com.nokia.maemo/local.opensh.

        account-plugin-skype::skype-access

        account-plugin-skype::sso-encryption-token

This is obviously a huge security hole. I'd also like know if this problem occurs when running opensh under an open-mode kernel.

I suggest that anyone using an incepted opensh locks down both /bin/opensh and /bin/open-sh executables with 700 permissions until this is sorted.