Reply
Thread Tools
Posts: 5 | Thanked: 4 times | Joined on Dec 2013 @ Finland
#1
Hi

I'm trying to make an icon to start mosh and screen -rD. With ssh everything works by making file /usr/share/applications/irssi.desktop

Code:
[Desktop Entry]
Type=Application
Name=Irssi
Exec=fingerterm -e "ssh user@server -t screen -rDU"
Icon=icon-l-terminal
Mosh works perfectly from command line after I installed it with these instructions.

Trying the icon thing with mosh gives me an error
Insecure $ENV{PATH} while running setgid at /usr/bin/mosh line 204.

Asking around IRC(#jollamobile and #mosh) didn't give me much new information. I actually know nothing about this setgid thing so I'm quite lost. Here's a clip of log from #mosh. Maybe someone here can help?

Code:
22:18 < micko_> Hi, I'm trying to make a mosh-screen shortcut on Jolla using fingerterm.
22:18 < micko_> I get an error: "Insecure $ENV{PATH} while running setgid at /usr/bin/mosh line 204."
22:18 < micko_> any ideas how to fix that?
22:19 < ddrown> your /usr/bin/mosh is setgid?
22:21 < micko_> how can I know that?
22:23 < ddrown> ls -l /usr/bin/mosh
22:24 < ddrown> looking for the permission strings, might look like: '-rwxr-sr-x'
22:24 < micko_> -rwxr-xr-x
22:25 < ddrown> ok, what is it using for the path (first line), "#!/usr/bin/env perl"?
22:25 < micko_> #!/usr/bin/env perl
22:25 < ddrown> ok, are /usr/bin/env or perl setgid?
22:26 < micko_> no
22:26 < ddrown> ok, how about fingerterm?
22:27 < ddrown> the command "id" might tell you that
22:28 < micko_> permissions on fingerterm has no s either, but what am I supposed to look with id?
22:29 < ddrown> hm. how about this:
22:29 < ddrown> perl -e 'print "R=$) E=$(\n"'
22:29 < ddrown> should print your real and effective gids  
22:30 < micko_> R=0 39 100 994 995 996 999 1000 1002 1003 1004 1005 1006 1024 100000 E=0 39 100 994 995 996 999 1000 1002 1003 1004 1005 1006 1024 100000
22:32 < ddrown> hm
22:34 < ddrown> well, that looks right
22:35 < ddrown> you can try throwing that print statement in /usr/bin/mosh to see if it's running under a different environment 
22:35 < ddrown> a workaround would be setting $ENV{PATH} before line 204
22:35 < ddrown> but I don't understand why perl thinks its setgid
22:39 < micko_> I'll try setting that. And I'll ask sailfish developers about that as well. they had no idea about that error on #jollamobile when I asked
22:39 < micko_> thanks
22:56 < micko_> setting the path lead to new problems
22:57 < micko_> but the print statement gave different numbers
22:57 < micko_> there were R=998.... and E=100000...
22:57 < micko_> rest of the numbers are the same
23:00 < ddrown> ok, there's something wierd with how that works
23:13 < KeithW> Mosh on Jolla! Cool.
23:21 < micko_> here's where I installed it from http://blog.ruecker.fi/2013/12/01/mosh-for-sailfish/
23:22 < KeithW> I'm guessing that guy will know more than anybody here what the issue is with setgid.
23:22 < KeithW> Maybe it has to do with Jolla's security model, but I'm really just guessing.
23:24 < micko_> weird is that when I open fingerterm command line and type mosh user@server it works perfectly
23:25 < micko_> but when I try to open fingerterm with switch -e "mosh user@server" it doesn't
23:30 < ddrown> what is "switch"?
23:31 < ddrown> I'm guessing it's a setgid command line tool
23:32 < micko_> I meaned the -e switch
23:33 < micko_> Exec=fingerterm -e "mosh mhjlai@ellipsis.fi"
23:33 < ddrown> ah
23:36 < KeithW> Maybe fingerterm is setgid something because it wants to twiddle utmp, and it somehow passes this on to programs it runs?
23:36 < KeithW> Maybe not fingerterm itself, but some tty helper? I'm guessing here.
23:36 < KeithW> Anyway, it seems like a bug.
23:37 < ddrown> figuring out what group id 998 is used for would be a good start in answering why
23:37 < micko_> the group 998 is "privileged"
If I understood correctly, the problem is with users and groups Sailfish uses (nemo and privileged).
 
Posts: 388 | Thanked: 1,340 times | Joined on Nov 2007 @ Finland
#2
Originally Posted by micko View Post
Hi

I'm trying to make an icon to start mosh and screen -rD. With ssh everything works by making file /usr/share/applications/irssi.desktop

Code:
[Desktop Entry]
Type=Application
Name=Irssi
Exec=fingerterm -e "ssh user@server -t screen -rDU"
Icon=icon-l-terminal
Mosh works perfectly from command line after I installed it with these instructions.

Trying the icon thing with mosh gives me an error
Insecure $ENV{PATH} while running setgid at /usr/bin/mosh line 204.

Asking around IRC(#jollamobile and #mosh) didn't give me much new information. I actually know nothing about this setgid thing so I'm quite lost. Here's a clip of log from #mosh. Maybe someone here can help?

Code:
22:18 < micko_> Hi, I'm trying to make a mosh-screen shortcut on Jolla using fingerterm.
22:18 < micko_> I get an error: "Insecure $ENV{PATH} while running setgid at /usr/bin/mosh line 204."
22:18 < micko_> any ideas how to fix that?
22:19 < ddrown> your /usr/bin/mosh is setgid?
22:21 < micko_> how can I know that?
22:23 < ddrown> ls -l /usr/bin/mosh
22:24 < ddrown> looking for the permission strings, might look like: '-rwxr-sr-x'
22:24 < micko_> -rwxr-xr-x
22:25 < ddrown> ok, what is it using for the path (first line), "#!/usr/bin/env perl"?
22:25 < micko_> #!/usr/bin/env perl
22:25 < ddrown> ok, are /usr/bin/env or perl setgid?
22:26 < micko_> no
22:26 < ddrown> ok, how about fingerterm?
22:27 < ddrown> the command "id" might tell you that
22:28 < micko_> permissions on fingerterm has no s either, but what am I supposed to look with id?
22:29 < ddrown> hm. how about this:
22:29 < ddrown> perl -e 'print "R=$) E=$(\n"'
22:29 < ddrown> should print your real and effective gids  
22:30 < micko_> R=0 39 100 994 995 996 999 1000 1002 1003 1004 1005 1006 1024 100000 E=0 39 100 994 995 996 999 1000 1002 1003 1004 1005 1006 1024 100000
22:32 < ddrown> hm
22:34 < ddrown> well, that looks right
22:35 < ddrown> you can try throwing that print statement in /usr/bin/mosh to see if it's running under a different environment 
22:35 < ddrown> a workaround would be setting $ENV{PATH} before line 204
22:35 < ddrown> but I don't understand why perl thinks its setgid
22:39 < micko_> I'll try setting that. And I'll ask sailfish developers about that as well. they had no idea about that error on #jollamobile when I asked
22:39 < micko_> thanks
22:56 < micko_> setting the path lead to new problems
22:57 < micko_> but the print statement gave different numbers
22:57 < micko_> there were R=998.... and E=100000...
22:57 < micko_> rest of the numbers are the same
23:00 < ddrown> ok, there's something wierd with how that works
23:13 < KeithW> Mosh on Jolla! Cool.
23:21 < micko_> here's where I installed it from http://blog.ruecker.fi/2013/12/01/mosh-for-sailfish/
23:22 < KeithW> I'm guessing that guy will know more than anybody here what the issue is with setgid.
23:22 < KeithW> Maybe it has to do with Jolla's security model, but I'm really just guessing.
23:24 < micko_> weird is that when I open fingerterm command line and type mosh user@server it works perfectly
23:25 < micko_> but when I try to open fingerterm with switch -e "mosh user@server" it doesn't
23:30 < ddrown> what is "switch"?
23:31 < ddrown> I'm guessing it's a setgid command line tool
23:32 < micko_> I meaned the -e switch
23:33 < micko_> Exec=fingerterm -e "mosh mhjlai@ellipsis.fi"
23:33 < ddrown> ah
23:36 < KeithW> Maybe fingerterm is setgid something because it wants to twiddle utmp, and it somehow passes this on to programs it runs?
23:36 < KeithW> Maybe not fingerterm itself, but some tty helper? I'm guessing here.
23:36 < KeithW> Anyway, it seems like a bug.
23:37 < ddrown> figuring out what group id 998 is used for would be a good start in answering why
23:37 < micko_> the group 998 is "privileged"
If I understood correctly, the problem is with users and groups Sailfish uses (nemo and privileged).
The problem is that mosh process inherits inconsistent real and effective groups when it is started. Mosh seems to be written with perl scripting language and perl has some inbuilt security protection features for dangerous practices. The inconsistency is triggering one of those protection feature.

Normally the real and effective user id or group ids are the same but for example when a program wants to get some extra privileges it can request those by utilizing set-user-id or set-group-id flags for the executable file. Other common case is that the process is already privileged like process owned by root and it want's to drop its privileges with setuid() and setgid() calls.

It might be that the caller of fingerterm or one of its parents has a bug that it isn't properly setting the real and the effective groups for its children.

Other possibility is that there is somewhere execution of set-user-id and/or set-group-id executable that is changing the groups of the process. It seems that you couldn't find one based on the log. Also I couldn't find other than the screen but the screen is run on the remote host, not on the Jolla so it shouldn't affect this.

BTW does it help if you change the line as:

Exec=fingerterm -e "bash -c 'mosh user@server -t screen -rDU'"

In some cases bash will drop all the extra privileges it possibly gets, so I'm wondering if you can manage to trigger that security feature also with "-c" option.
 
Posts: 388 | Thanked: 1,340 times | Joined on Nov 2007 @ Finland
#3
Other thing you could try to temporarily to workaround the problem: After #! line in mosh insert line:

$( = $)+0;

Or if that doesn't help then maybe writting a wrapper like this:

#!/usr/bin/perl
$( = $)+0;
exec "/usr/bin/mosh", "user@server", "-t", "screen -rDU";
 
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 04:58.