Quantcast

understanding setuid/setgid XQuery and system:as-user()

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

understanding setuid/setgid XQuery and system:as-user()

Olaf Schreck
Hi,

I'm trying to run some XQuery code setuid/setgid, or with system:as-user(),
but I must be missing something as it doesn't work as expected.  Google is
a bit short on this.

I have an XQuery module that does not need special permissions for what it
does, except for this part (dynamically adding an eXist account):

  declare function exsaml:ensure-user($nameid as xs:string) {
    let $log  := util:log("info", "ensure-user; n: " || $nameid || ", i: " || sm:id())
    let $pass := "test"
    return
      if (not(sm:user-exists($nameid))) then
        sm:create-account($nameid, $pass, ())
      else ()
  };

This gets run without (eXist) authentication, so the code is running as
guest/guest, confirmed by the log entry, and create-account fails with
"exerr:ERROR You must be an authenticated user".  Of course.

I tried to wrap it inside system:as-user() like this:

        system:as-user("admin", "", sm:create-account($nameid, $pass, ()))

but that gives the same error.  I would have expected this to work?
[that's "admin" without password - internal test system]


I have also tried to run the XQuery module setgid.  Eval'd
sm:chmod($modulefile, "rwxrwSr-x") in eXide, permissions look correct.

I expected to see the effective group of $modulefile in the log entry from
sm:id(), but nope.


Clues?  Thanks,
Olaf

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: understanding setuid/setgid XQuery and system:as-user()

Joe Wicentowski
Hi Olaf,

To kick off the discussion, could you please specify which version of eXist you're using?

Joe

On Mon, Jan 30, 2017 at 12:37 PM, Olaf Schreck <[hidden email]> wrote:
Hi,

I'm trying to run some XQuery code setuid/setgid, or with system:as-user(),
but I must be missing something as it doesn't work as expected.  Google is
a bit short on this.

I have an XQuery module that does not need special permissions for what it
does, except for this part (dynamically adding an eXist account):

  declare function exsaml:ensure-user($nameid as xs:string) {
    let $log  := util:log("info", "ensure-user; n: " || $nameid || ", i: " || sm:id())
    let $pass := "test"
    return
      if (not(sm:user-exists($nameid))) then
        sm:create-account($nameid, $pass, ())
      else ()
  };

This gets run without (eXist) authentication, so the code is running as
guest/guest, confirmed by the log entry, and create-account fails with
"exerr:ERROR You must be an authenticated user".  Of course.

I tried to wrap it inside system:as-user() like this:

        system:as-user("admin", "", sm:create-account($nameid, $pass, ()))

but that gives the same error.  I would have expected this to work?
[that's "admin" without password - internal test system]


I have also tried to run the XQuery module setgid.  Eval'd
sm:chmod($modulefile, "rwxrwSr-x") in eXide, permissions look correct.

I expected to see the effective group of $modulefile in the log entry from
sm:id(), but nope.


Clues?  Thanks,
Olaf

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: understanding setuid/setgid XQuery and system:as-user()

Olaf Schreck
Hi Joe,

> To kick off the discussion, could you please specify which version of eXist
> you're using?

Meh, of course, sorry.

#eXist build info
project.version=3.0.RC2
project.built=20170125064840
scm.branch=develop
scm.revision=9e8a2cf

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: understanding setuid/setgid XQuery and system:as-user()

Adam Retter
In reply to this post by Olaf Schreck
What does sm:get-permissions report for your XQuery stored in the dB?

On 31 Jan 2017 2:38 a.m., "Olaf Schreck" <[hidden email]> wrote:
Hi,

I'm trying to run some XQuery code setuid/setgid, or with system:as-user(),
but I must be missing something as it doesn't work as expected.  Google is
a bit short on this.

I have an XQuery module that does not need special permissions for what it
does, except for this part (dynamically adding an eXist account):

  declare function exsaml:ensure-user($nameid as xs:string) {
    let $log  := util:log("info", "ensure-user; n: " || $nameid || ", i: " || sm:id())
    let $pass := "test"
    return
      if (not(sm:user-exists($nameid))) then
        sm:create-account($nameid, $pass, ())
      else ()
  };

This gets run without (eXist) authentication, so the code is running as
guest/guest, confirmed by the log entry, and create-account fails with
"exerr:ERROR You must be an authenticated user".  Of course.

I tried to wrap it inside system:as-user() like this:

        system:as-user("admin", "", sm:create-account($nameid, $pass, ()))

but that gives the same error.  I would have expected this to work?
[that's "admin" without password - internal test system]


I have also tried to run the XQuery module setgid.  Eval'd
sm:chmod($modulefile, "rwxrwSr-x") in eXide, permissions look correct.

I expected to see the effective group of $modulefile in the log entry from
sm:id(), but nope.


Clues?  Thanks,
Olaf

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: understanding setuid/setgid XQuery and system:as-user()

Wolfgang Meier-2
In reply to this post by Olaf Schreck
> I have also tried to run the XQuery module setgid.  Eval'd
> sm:chmod($modulefile, "rwxrwSr-x") in eXide, permissions look correct.

Just guessing, but please note that the setgid needs to be applied on the main XQuery module, not an imported module.

Wolfgang
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Loading...