Active Topics

 


Reply
Thread Tools
Posts: 1,808 | Thanked: 4,272 times | Joined on Feb 2011 @ Germany
#11
Originally Posted by sulu View Post
Just download all the source packages and grep them for 'sudo'.
stupid but effective
Yup. Alternatively, "one" could implement a drop-in replacement for sudo which offers a graphical front-end if X is running. I would even go as far as configuring it with a different /etc/sudoers (like /etc/sudoers.mine) to prevent packages randomly adding themselves without asking.

I know, this is Maemo, which is like the wild west ..
.. but you know, this is Maemo, the user must have absolute control over the system.
 

The Following 5 Users Say Thank You to reinob For This Useful Post:
Posts: 2,290 | Thanked: 4,134 times | Joined on Apr 2010 @ UK
#12
If anything I would say things that could be easily fixed are repairing packages that depend on rootsh or sudser, as a priority.
Long term I would like to see a more secure root in Maemo, thanks for your work MT.
FWIW I have modified my system to prompt for a root password in a terminal.
__________________

Wiki Admin
sixwheeledbeast's wiki
Testing Squad Subscriber
- mcallerx - tenminutecore - FlopSwap - Qnotted - zzztop - Bander - Fight2048 -


Before posting or starting a thread please try this.
 

The Following 6 Users Say Thank You to sixwheeledbeast For This Useful Post:
Posts: 2,225 | Thanked: 3,822 times | Joined on Jun 2010 @ Florida
#13
Originally Posted by sulu View Post
Nice tutorial!

Just one suggestion:
If you have a pre/postinst script that changes files that do not belong to your package, please also include a pre/postrm script that (optionally) restores their original condition!

I know this can be tricky at times, e.g. when two packages alter the same file but aren't installed/removed in a LIFO manner. But one should at least try by making a simple backup of the files one found during the installation or (maybe) better reversing the sed command.

Not taking care of what happens after your packages are removed usually results in a mess and in my opinion this is one of Maemo's main problems.
Code:
#!/bin/sh
sed '
/^root ALL = (ALL) NOPASSWD: ALL$/ d
/^user ALL = (ALL) PASSWD: ALL$/ d
6 i user = NOPASSWD: /usr/sbin/gainroot
' /etc/sudoers.d/01sudo
update-sudoers
That should do it. Run as root manually or include in your package as the prerm/postrm script. I think that's better/cleaner than leaving a backup file lying around, which may be out of date by the time you remove the package. This should just remove the two exact-match lines the original file had added with my example script, and add the original gainroot-allowing line back in, at the same spot where it originally was (unless new lines were added since then to the start of the file).

As for why I didn't originally include this: In general, I completely agree with you. For this particular example, however, my goal was to get myself root - I don't intend on ever taking this root-ness away from myself, and the .deb package is, in this case, just a means to an end - in my mind it's a one-off-manual-tweak-in-the-form-of-a-package, not a true package. And tbh in my mind this is like applying a bugfix to a system package.
__________________
If you want to donate in support of anything that I do, you can do so with either of these options:
PayPal | Bitcoin: 1J4XG2z97iFEKNZXThHdFHq6AeyWEHs8BJ | [Will add other donation options eventually]
 

The Following 3 Users Say Thank You to Mentalist Traceur For This Useful Post:
Posts: 2,225 | Thanked: 3,822 times | Joined on Jun 2010 @ Florida
#14
Originally Posted by reinob View Post
HAM uses /etc/sudoers.d/hildon-application-manager.sudoers, which allows passwordless sudo for apt-worker (as well as for hildon-application-manager-util to handle repositories).

So no setuid here. If you force a password then I suppose HAM will just stop working because sudo will ask for a password without having a terminal for I/O. I suppose we could install some sort of graphical sudo ("gksudo" or whatever) and patch HAM to use it instead of "sudo apt-worker"..
Originally Posted by reinob View Post
Yup. Alternatively, "one" could implement a drop-in replacement for sudo which offers a graphical front-end if X is running. I would even go as far as configuring it with a different /etc/sudoers (like /etc/sudoers.mine) to prevent packages randomly adding themselves without asking.

I know, this is Maemo, which is like the wild west ..
.. but you know, this is Maemo, the user must have absolute control over the system.
Instead of patching HAM to call another program, or replacing sudo, I think it's better if we just install a more proper sudo that has askpass support, then have something in the desktop initialization set the SUDO_ASKPASS environment variable. Admittedly, I think the invokers may need to invoke sudo with the '-A' flag: I'm not sure if sudo has pty detection built-in to know when to assume it needs to run an askpass program, which would allow it to do so without being called with the -A flag. But if the '-A' flag is required, then patching of HAM, etc, would be required too.

Incidentally, the latest GCC 4.6 and dependencies in the maemo repos + CSSU-Testing (which recently updated libc6 a little) lets us build a perfectly working sudo from the latest stable branch with askpass support, and we have at least one working askpass implementation ssh-askpass in the repos (though a properly hildon-ized askpass UI would be much nicer). (I also have a shell-script based askpass that pops open a terminal to get the password, but that one uses a named pipe to move the password between the launching script and the one running in the launched terminal, and I'm not confident it's secure enough (or ever could be, given the limitations of that approach).)
__________________
If you want to donate in support of anything that I do, you can do so with either of these options:
PayPal | Bitcoin: 1J4XG2z97iFEKNZXThHdFHq6AeyWEHs8BJ | [Will add other donation options eventually]

Last edited by Mentalist Traceur; 2015-01-23 at 06:42.
 

The Following 3 Users Say Thank You to Mentalist Traceur For This Useful Post:
Posts: 2,225 | Thanked: 3,822 times | Joined on Jun 2010 @ Florida
#15
Originally Posted by sulu View Post
Just download all the source packages and grep them for 'sudo'.
stupid but effective
Or, if you don't mind burning time and battery juice on one of your N900s, you can run something like this on the N900 itself:
Code:
# find / -xdev -exec fgrep -H sudo {} +
# find /home -xdev -exec fgrep -H sudo {} +
(if you've got find symlinked to GNU's find instead of busybox's, depending on the version, the '+' may not be recognized, in which case you may have to settle for the much slower '\;' - not sure when GNU's find gained support for that '+' syntax...)
__________________
If you want to donate in support of anything that I do, you can do so with either of these options:
PayPal | Bitcoin: 1J4XG2z97iFEKNZXThHdFHq6AeyWEHs8BJ | [Will add other donation options eventually]

Last edited by Mentalist Traceur; 2015-01-23 at 07:41. Reason: Clarifications of wording
 

The Following 3 Users Say Thank You to Mentalist Traceur For This Useful Post:
Posts: 2,225 | Thanked: 3,822 times | Joined on Jun 2010 @ Florida
#16
Oh, by the way, I noticed an issue with my script in post #2, which I have now edited with a better script (the issue is explained in the edit in that page, I just wanted to mention it here because I know new posts get noticed much easier than old edited ones).
__________________
If you want to donate in support of anything that I do, you can do so with either of these options:
PayPal | Bitcoin: 1J4XG2z97iFEKNZXThHdFHq6AeyWEHs8BJ | [Will add other donation options eventually]
 

The Following 2 Users Say Thank You to Mentalist Traceur For This Useful Post:
Posts: 915 | Thanked: 3,209 times | Joined on Jan 2011 @ Germany
#17
Originally Posted by Mentalist Traceur View Post
Or, if you don't mind burning time and battery juice on one of your N900s, you can run something like this on the N900 itself:
Code:
# find / -xdev -exec fgrep -H sudo {} +
# find /home -xdev -exec fgrep -H sudo {} +
That only works for packages installed on YOUR N900 and it's usefulness is kind of limited if run on compiled binary programs instead of scripts.
I was more generally speaking, like searching the whole extras repo.

And I surely wouldn't do this on a six years old single core arm connected to a slow emmc or even slower µSD card guarded by a misbehaving watchdog.
 

The Following 3 Users Say Thank You to sulu For This Useful Post:
Posts: 2,225 | Thanked: 3,822 times | Joined on Jun 2010 @ Florida
#18
Originally Posted by sulu View Post
That only works for packages installed on YOUR N900 and it's usefulness is kind of limited if run on compiled binary programs instead of scripts.
I was more generally speaking, like searching the whole extras repo.
Of course, they're different directions of investigation, with somewhat different end results. But scripting an automated search of every extras package's source would not be a one-liner anyone can immediately run on their own (though admittedly also simple enough), and running it would cost hefty usage of bandwidth for both the person running it and the Maemo infra. I figured my suggestion could be used by users interested in starting the search of their own packages (since that concerns them more). Obviously for binary files they'd have to then dig up the source to investigate further.

Originally Posted by sulu View Post
And I surely wouldn't do this on a six years old single core arm connected to a slow emmc or even slower µSD card guarded by a misbehaving watchdog.
I would've, but then again, I have several N900s so I can afford to launch this on one and let it sit around. Then again, I was running a recursive grep on the /usr folder last night for something while doing something with `setxkbmap -v 10` in another terminal, and that N900 rudely shut down on me without warning when I ran one of those commands, so that may well have been the watchdog flipping out. So, good point.
__________________
If you want to donate in support of anything that I do, you can do so with either of these options:
PayPal | Bitcoin: 1J4XG2z97iFEKNZXThHdFHq6AeyWEHs8BJ | [Will add other donation options eventually]
 

The Following User Says Thank You to Mentalist Traceur For This Useful Post:
Posts: 35 | Thanked: 18 times | Joined on Jun 2010
#19
Hi, I have corrupted my /etc/sudoers file, and of course disable sshd before . Repository system seems out of order too. Now I can not anymore become root (it asks for a password never set). Is there a way for privilege escalation, without reflashing the N900 ?
 
peterleinchen's Avatar
Posts: 4,118 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#20
Not really sure what you messed up or how the config on your device looks like.
But default password may be 'rootme'.

Else here is a link to the rootsh package which can be installed and will give you root access via 'sudo gainroot'
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature
 
Reply

Tags
maemo 5, root access


 
Forum Jump


All times are GMT. The time now is 23:05.