helpGNU Rush - Support: sr #352, Unable to make rush work -...

 
 
Show feedback again

You are not allowed to post comments on this tracker with your current authentification level.

sr #352: Unable to make rush work - setgroups: Operation not permitted or cannot chroot to /home/user: Operation not permit

Submitted by:  Gary T. Giesen <ggiesen>
Submitted on:  Thu Dec 28 15:48:35 2023  
 
Category: NonePriority: 5 - Normal
Severity: 5 - NormalStatus: None
Privacy: PublicAssigned to: None
Open/Closed: OpenOperating System: None

Sat Dec 30 04:37:31 2023, comment #1:

I figured out what the issue is. It looks like Fedora COPR doesn't allow setting setuid on binaries:

chown: changing ownership of '/builddir/build/BUILDROOT/rush-2.3-2.el8.x86_64/usr/sbin/rush': Operation not permitted
Cannot change /builddir/build/BUILDROOT/rush-2.3-2.el8.x86_64/usr/sbin/rush to setuid root

I had to manually set the SPEC file to install the file with setuid

Gary T. Giesen <ggiesen>
Thu Dec 28 15:48:35 2023, original submission:

Attempting to run Rush on AlmaLinux 9.3 for the first time, and depending on the configuration I receive `setgroups: Operation not permitted` or `cannot chroot to /home/user: Operation not permitted`

I've tried with SELinux disabled as well with the same result.

Configuration:

```
rush 2.0

global
# Set verbosity level.
debug 3

rule default
limits t10r20
umask 002
clrenv
keepenv USER LOGNAME HOME PATH
setenv PATH="$PATH:/usr/local/bin"
fall-through

# Sftp-server requests: chroot into the user's home directory, set umask
# 002 and execute bin/sftp-server.
rule sftp
match $command ~ "^.*/sftp-server"
```

also tried with chroot:

```
rush 2.0

global
# Set verbosity level.
debug 3

rule default
limits t10r20
umask 002
clrenv
keepenv USER LOGNAME HOME PATH
setenv PATH="$PATH:/usr/local/bin"
fall-through

# Sftp-server requests: chroot into the user's home directory, set umask
# 002 and execute bin/sftp-server.
rule sftp
match $program ~ "^.*/sftp-server"
set [0] = "bin/sftp-server"
umask 002
chroot "~"
chdir "/"
```

Logs from /var/log/secure:

```
Dec 28 15:37:41 host rush[1469733]: Command line:
Dec 28 15:37:41 host rush[1469733]: 0: rush
Dec 28 15:37:41 host rush[1469733]: 1: -c
Dec 28 15:37:41 host rush[1469733]: 2: /usr/libexec/openssh/sftp-server
Dec 28 15:37:41 host rush[1469733]: Environment:
Dec 28 15:37:41 host rush[1469733]: 0 USER=user
Dec 28 15:37:41 host rush[1469733]: 1 LOGNAME=user
Dec 28 15:37:41 host rush[1469733]: 2 HOME=/home/user
Dec 28 15:37:41 host rush[1469733]: 3 PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
Dec 28 15:37:41 host rush[1469733]: 4 SHELL=/sbin/rush
Dec 28 15:37:41 host rush[1469733]: 5 KRB5CCNAME=FILE:/tmp/krb5cc_204700510_IuhPQI
Dec 28 15:37:41 host rush[1469733]: 6 SELINUX_ROLE_REQUESTED=
Dec 28 15:37:41 host rush[1469733]: 7 SELINUX_LEVEL_REQUESTED=
Dec 28 15:37:41 host rush[1469733]: 8 SELINUX_USE_CURRENT_RANGE=
Dec 28 15:37:41 host rush[1469733]: 9 MOTD_SHOWN=pam
Dec 28 15:37:41 host rush[1469733]: 10 XDG_SESSION_ID=180
Dec 28 15:37:41 host rush[1469733]: 11 XDG_RUNTIME_DIR=/run/user/204700510
Dec 28 15:37:41 host rush[1469733]: 12 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/204700510/bus
Dec 28 15:37:41 host rush[1469733]: 13 XDG_SESSION_TYPE=tty
Dec 28 15:37:41 host rush[1469733]: 14 XDG_SESSION_CLASS=user
Dec 28 15:37:41 host rush[1469733]: 15 SSH_CLIENT=2001:db8:2::9 57769 22
Dec 28 15:37:41 host rush[1469733]: 16 SSH_CONNECTION=2001:db8:2::9 57769 2001:db8:4:14::12 22
Dec 28 15:37:41 host rush[1469733]: Serving request "/usr/libexec/openssh/sftp-server" for user by rule default
Dec 28 15:37:41 host rush[1469733]: Rule default at /etc/rush.rc:11 matched
Dec 28 15:37:41 host rush[1469733]: Final environment:
Dec 28 15:37:41 host rush[1469733]: 0: USER=user
Dec 28 15:37:41 host rush[1469733]: 1: LOGNAME=user
Dec 28 15:37:41 host rush[1469733]: 2: HOME=/home/user
Dec 28 15:37:41 host rush[1469733]: 3: PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/local/bin
Dec 28 15:37:41 host rush[1469733]: Setting limits for user
Dec 28 15:37:41 host rush[1469733]: Setting limit 0 to 600
Dec 28 15:37:41 host rush[1469733]: Program name: /usr/libexec/openssh/sftp-server
Dec 28 15:37:41 host rush[1469733]: Final arguments:
Dec 28 15:37:41 host rush[1469733]: 0: /usr/libexec/openssh/sftp-server
Dec 28 15:37:41 host rush[1469733]: Serving request "/usr/libexec/openssh/sftp-server" for user by rule sftp
Dec 28 15:37:41 host rush[1469733]: Rule sftp at /etc/rush.rc:21 matched
Dec 28 15:37:41 host rush[1469733]: Final environment:
Dec 28 15:37:41 host rush[1469733]: 0: USER=user
Dec 28 15:37:41 host rush[1469733]: 1: LOGNAME=user
Dec 28 15:37:41 host rush[1469733]: 2: HOME=/home/user
Dec 28 15:37:41 host rush[1469733]: 3: PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/local/bin
Dec 28 15:37:41 host rush[1469733]: Program name: /usr/libexec/openssh/sftp-server
Dec 28 15:37:41 host rush[1469733]: Final arguments:
Dec 28 15:37:41 host rush[1469733]: 0: /usr/libexec/openssh/sftp-server
Dec 28 15:37:41 host rush[1469733]: Executing /usr/libexec/openssh/sftp-server, /usr/libexec/openssh/sftp-server
Dec 28 15:37:41 host rush[1469733]: setgroups: Operation not permitted
```

Gary T. Giesen <ggiesen>

 

No files currently attached

 

Depends on the following items: None found

Items that depend on this one: None found

 

Carbon-Copy List
  • -unavailable- added by ggiesen (Submitted the item)

    •  

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.

     

    Please enter the title of George Orwell's famous dystopian book (it's a date):

     

     

    No Changes Have Been Made to This Item
    Show feedback again

    Back to the top


    Copyright © 2005 – 2021 Sergey Poznyakoff
    Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.

    Powered by Savane 3.1-cleanup+gray