Idea ID: 1795917

Update Mixed Mode Agent Binaries With SUID Root To More Restrictive Permissions

Status : Waiting for Votes
Waiting for Votes
See status update history
over 2 years ago

When setting up an agent to run as a non-root user in mixed mode several binaries are set with the suid root bit to allow those binaries to perform their required functions as root. There are three binaries specifically that have the suid bit set for root.

-r-sr-xr-x. 1 root bin      68424 May 7 2018 /opt/OV/bin/oacore
-r-sr-x---. 1 root opcgrp  595727 May 7 2018 /opt/OV/bin/ovbbccb
-r-sr-xr-x. 1 root root   7603036 Oct 8 2018 /opt/OV/hpcs/hpsensor

The ovbbccb process needs suid to bind to port 383. After startup it drops to non-root. The permissions are what is required for the non-root control daemon in a mixed mode deployment to start it up. This is a good example of a least privilege setup.

The oacore and hpsensor processes run as root to overcome the NPU limitations for certain performance data collections. These processes are also started by the non-root control daemon so the suid root bit is needed. These processes however are world executable leaving them open to possible exploitation.

My idea is to restrict the default permissions for oacore and hpsensor set in a non-root mixed mode deployment to the same permissions as ovbbccb to reduce the security risk posed by these suid root binaries.  i.e.

-r-sr-x---. 1 root opcgrp   68424 May 7 2018 /opt/OV/bin/oacore
-r-sr-x---. 1 root opcgrp  595727 May 7 2018 /opt/OV/bin/ovbbccb
-r-sr-x---. 1 root opcgrp 7603036 Oct 8 2018 /opt/OV/hpcs/hpsensor