PageViews: 386 hits / 85 nets

Implanted Configuration Parameters of DeleGate

Yutaka Sato
December 4, 2006

Since the version 9.4.0, DeleGate has "implanted parameters" in its executable file. Those parameters can be used to control authentication and capability control, that is, who may execute the executable and which functions or protocols may be used.

The executable file can be set with so called "set user-id on execution" flag which is used to run under the super-user's privilege independent of who invoked it. DeleGate may require such privilege in some cases, including when it uses privileged port or doing PAM authentication. This flag obsoletes external programs under "subin" which have been necessary to be installed supplementally.

                                   owned-by-rooot      INSTALLATION /
  INVOCATION              _________set-uid-on-exec     CONFIGURATION
                         /                        \
                         |   the executable file  |
             forbidden   |       of DeleGate      |
  user1 ---- NO -------->|                        |
                         |                        |
  user2 ---- OK -----+---> +-> authentication     |
                     |   | +-> capability control |
                     |   | +-> default config.    |
                     |   | |                      |
                [key]+---->(decrypt)              |    editing with
                         | |     _____________    |   "delegated -Fimp"
                         | |    +             +   |     +[key]
                         | +----+ implanted   <<--------+(encrypt)
                         |      + parameters  +   |
                         |      +_____________+   |
                         |                        |
                         \________________________/

The size of area for implants is 10K bytes by default. Arbitrary configuration parameters can be holded in it.

It can be dangerous to turn the "set user-id on execution" flag for a versatile program like DeleGate especially when the executable file is marked to be "executable by anybody". Therefore an executable file of DeleGate with the flag is restricted to be executable only when the user is explicitly permitted the execution, that is when the user is in the list of permitted users and/or when the user knows the password to execute it.

EXAMPLES

    Show the help and the current implants.
% delegated -Fimp
% delegated -Fimp ADMIN=you@your.domain
% delegated -Fimp -U user2,user3
% delegated -Fimp -C http,ftp
% delegated -Fimp -k
% su root -c "delegated -Fimp -m"
% delegated -Fimp SERVER=http -P8080 -vt ADMIN=me@my.domain
% delegated
% delegated -Fimp -sk conf.enc

mail-lists.delegate-en - <_A3592@delegate-en.ML_>

[DeleGate-En] DeleGate/9.4.0 (ALPHA) -- implanted configuration parameters in the executable file
04 Dec 2006 14:46:29 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Dear DeleGate users,

I inform you of the new release of DeleGate available as follows:
--------------------------------------------------------------------------
DeleGate/9.4.0 -- (ALPHA) -- implanted configuration parameters in the executable file

IMPLANTED CONFIGURATION PARAMETERS
  - supported "implanting" parameters into the executable file
  - implanted parameters can be encrypted to protect it from peeping by others
  - "subin" is obsoleted, just set "set-uid-on-exec" flag of the executable

An executable file can have "implanted" parameters to control authentication
and capabilities; which user or group can use it and which protocols or
functions it can execute.

The executable owned by "root" with "set-uid-on-exec" replaces "subin" to
execute privileged operations including binding privileged ports or PAM
authentication.

The implanted parameters in a executable file is edited with "-Fimp" option.
See the help information of it with "delegated -Fimp -h" and the page
<URL:http://www.delegate.org/delegate/implant/>

SECURE BINARY DISTRIBUTION
  - executable files distributed from DeleGate.ORG are signed with it RSA key
  - modification to the executable since the compilation is detected on startup

The executable file of DeleGate (delegated) has become signed and verified.
The file is signed at the build-time, and a modification of it (might be
a malicious interpolation) is detected when it is invoked to stop the
invocation.

ENCRYPTION OF CONFIGURATION PARAMETERS
  - introduced a pseudo URL "enc:" to represent a chunk of encrypted data
  - arbitrary data can be encrypted to the "enc:" format with "-Fenc".
  - encrypted data can be used as parameters of DeleGate with "+=enc:..."

See the help information of it with "delegated -Fenc -h" and the page
<URL:http://www.delegate.org/delegate/encrypt/>

--------------------------------------------------------------------------

  SITE: <URL:ftp://ftp.delegate.org/pub/DeleGate/>
  FILE: delegate9.4.0.tar.{gz,bz2}
  DATE: Dec 4 17:19 JST 2006
  TAR-SIZE: 6195200 bytes
  TAR-MD5:  04bd47b34a8ac3fd2a4f4e75659c296d
  PUBLIC-KEY: http://www.delegate.org/rsa-pubkey.pem
  TAR-MD5-SIGN:
    0KZLaVhJSerfRwo0Aioo7brd7yxu+xjjZsaIzd0B3jl/WqR51GJX20JXhOnYdIClmGJBaxj0
    HAv8TG5EkMFsZXdUXxZAKEGb5qu2iaHJ8e3MMqJa2Upv1VpLQfvt+DF0YdBnPY3R1lLB9kco
    5trk095wmwKB7BBQeI/TDXlaDDI=

[NEW]
 * general: "-Fimp" option to implant parameters into the executable
 * general: restricting users who can invoke the executable file (with passwd)
 * general: restricting capable Functions, protocols, params, and systemcalls
 * general: auto. invocation of SERVER="sudo" proc. for privileged operations
 * general: detection of interpolation of the executable file
 + general: "-Fenc" option to make encrypted parameters (or file)
 + POP: implemented RFC2449 "CAPA" for STLS 
 + HTTP: introduced HTTPCONF=kill-iqhead and HTTPCONF=kill-irhead 

[MOD]
 + OWNER: OWNER="invoker's-uid" by default when invoked with set-uid-on-exec
 + general: wait in foreground till daemon process launches
 + general: don't start in background without -Pxxx
 + CFI: act as a filter if without -Pxxx and invoked with std-I/O of sockets
 + AF_UNIX: expanded VSAddr from 32B to 128 for AF_UNIX
 + FreeBSD: use setproctilte() if it's available
 + Windows: MAXIMA=winmtu:0 (from 1024) by default (7.9.4)

[FIX]
 + SSLway: fixed session cache with client's certificate (9.2.4)
 + general: fixed SEGV on long CRYPT key
 + general: fixed infinite loop by malformed hostlist
 + SockMux: fixed SockMux on a FIFO pair (8.8.6)
 + TUNNEL: fixed SERVER=tunnel1 for TUNNEL=tty7:xxx.shio (8.0.1)
 + HTTP: fixed FFROMCL="-p,"filter for binary-relay (with HTTP/CONNECT)
 + Telnet: fixed relaying DataMark/OOB ASAP. without seeing TimingMark (9.0.3)
 + FreeBSD:don't care EOF of PIPE as OOB on FreeBSD (9.0.3)
 + MacOSX: coped with "OWNER=nobody" on MacOSX (in which uid(nobody) == -2)
 + CGI/SSI: enabled invocation via CGI/SSI
 + CGI/SSI: restarting as a service from CGI/SSI on Windows
 + SSH: enabled invocation via SSH
 + AF_UNIX: re-enabled AF_UNIX on Solaris (3.0.35)
 + AF_UNIX: repaired AF_UNIX + UDP to work (since 9.0.0 for IPv6)

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

--
9.4.0 061201 fix credhy.c: faster strtoHex/hextoStr without sscanf/sprintf
9.4.0 061130 new {httpx,script,delegated}.c: generic usage of enc: URI "scheme"
9.4.0 061130 mod {dgauth,dgsign}.c: accepts ":passWord" for "pass:passWord"
9.4.0 061130 fix script.c: coped with large +=enc: string
9.4.0 061129 new dgsign.c: erasing implanted param/opts with -zPARAM / -z-X
9.4.0 061129 new dgsign.c: -Fenc / -Fdec to encrypt/decrypt +=enc:ext:...
9.4.0 061129 new dgsign.c: loading encrypted parameters as +=enc:ext::xxxx:
9.4.0 061129 new dgsign.c: saving encrypted parameters with -Fimp -se or -sk
9.4.0 061128 new dgsign.c: supported -Fimp -U on Win
9.4.0 061128 new windows.c: implemented getting the owner name on Win
9.4.0 061128 new windows.c: implemented st_ino on Win (but only in short int)
9.4.0 061128 fix dgsign.c: supported -Fimp -k on Win
9.4.0 061126 new {dgauth,dgsign}.c: generic PASSWD=Dom:User:pass:xxxx storage
9.4.0 061125 new dgsign.c: introduced -Fimp -k to encrypt implanted config.
9.4.0 061125 fix {delegated,pelcgb}.c: fixed SEGV on long CRYPT key
9.4.0 061125 mod dgsign.c: allow -Fimp only to the owner and the group of exe.
9.4.0 061124 mod credhy.c: stopped too slow "dazzling" in CreyEncrypts(9.0.6)
9.4.0 061124 fix hostlist.c: infinite loop by malformed hostlist as "{a,b}c"
9.4.0 061123 new credhy.c: added simple safe string encoding instead of Hex
9.4.0 061123 fix {dgsign,credhy}.c: coped with a large config. file
9.4.0 061122 new param.c: supported -C -PARAM to disable the PARAM
9.4.0 061122 new dgsign.c: save/load commented configuration of -Fimp as is
9.4.0 061121 new dgsign.c: introduced -Fimp -e option (edit with vi or EDITOR)
9.4.0 061120 new dgsign.c: enabled arbitrary parameter NAME=value with -Fimp
9.4.0 061120 mod embed.c: enlarged the default size of IMP area to 4KB
9.4.0 061119 mod delegated.c: act as a filter if without -Pxxx and via socket
9.4.0 061117 fix dgsign.c: fixed broken password MD5 for repetitive -Fimp
9.4.0 061117 mod delegated.c: execute -Fkill as a usual -Ffunction
9.4.0 061117 new {delegate,param*.c: added ".lock.NAME=value" or ".lock.NAME"
9.4.0 061117 new embed.c: setting size of -Fimp area as "make IMPSIZE=1234"
9.4.0 061116 new dgsign.c: -Fimp coped with rewriting self on ETXTBSY
9.4.0 061115 fix sox.c: SockMux on a FIFO pair with Credhy preamble (8.8.6)
9.3.1 061111 fix sslway.c: sess. cache with client's certificate(9.2.4)
9.4.0 061113 mod sslway.c: introduced TLSOCNF="context:xxx"
9.4.0 061113 new http.c: introduced HTTPCONF=kill-iqhead and kill-irhead 
9.4.0 061110 mod sslway.c: showing library loading errors on the start (-vl)
9.4.0 061108 fix telnet.c: relay DM/OOB A.S.A.P. without seeing TM(9.0.3-pre18)
9.4.0 061109 fix nbio.c: FFROMC=-p,filter for binary-relay (HTTP/CONNECT)
9.4.0 061108 fix _-select.c: don't care EOF of PIPE as OOB on FreeBSD (9.0.3)
9.4.0 061108 fix delegated.c: fixed SEGV on start (9.4.0-pre1)
9.4.0 061107 mod delegated.c: wait in foreground till daemon proc. launch
9.4.0 061107 mod dgsign.c: -Fimp -m not to change the group-ownership
9.4.0 061107 mod embed.c: SUDOAUTH=":root,.u,/.g,/wheel,/staff" by default
9.4.0 061107 new svport.c: showing help for -Fimp -m on bind(-Pxx) error
9.4.0 061107 mod sudo.c: set the owner of SUDO socket to the one in OWNER
9.4.0 061107 mod dgsign.c: -Fimp -o copies modes of original to a new exec.
9.4.0 061107 mod delegated.c: create LOGFILE as DGROOT/{sudo,sudo-error}.log
9.4.0 061107 fix delegated.c: don't create generalist PROTOLOG for SERVER=sudo
9.4.0 061106 mod windows.c: MAXIMA=winmtu:0 (from 1024) by default (7.9.4)
9.4.0 061105 mod {pstitle,setproctitle}.c: use setproctilte() if available
9.4.0 061104 mod {__locking,_-CreateThread}.c: merged into windows.c
9.4.0 061103 mod unix.c: extracted Unix only code from windows.c
9.4.0 061103 mod {winserv,winreg}.c: merged into windows.c
9.4.0 061103 new pop.c: implemented RFC2449 "CAPA" for STLS 
9.4.0 061102 new delegated.c: detecting interpolation of the executable file
9.4.0 061102 new {service,delegated}.c: masking capable protocols by -Fimp
9.4.0 061102 new {dgsign.c,commands}.c: masking capable functions by -Fimp
9.4.0 061101 new delegated.c: "-r" option for INETD="" without -Pxxx
9.4.0 061031 mod delegated.c: don't start in background without -Pxxx
9.4.0 061028 fix file.c: coped with "OWNER=nobody" on MacOSX (uid == -2)
9.4.0 061028 new dgsign.c: -Fimp to implant config. params. into executable
9.4.0 061028 mod master.c: OWNER="invoker-uid" by default on set-uid-on-exec
9.4.0 061028 new sudo.c: introduced SUDOPASS=pass to be run with set-uid-flag
9.4.0 061028 fix httpd.c: fixed SERVER=tunnel1 for TUNNEL=tty7:x.shio (8.0.1)
9.4.0 061027 fix {delegated,winserv}.c: restarting as a service from CGI/SSI
9.4.0 061027 fix delegated.c: closing stdout on error restart from CGI/SSI
9.4.0 061026 fix {delegated,remote}.c: enabled invocation via SSH
9.4.0 061024 new windows.c: sending a file desc. by DuplicateHandle on Win
9.4.0 061024 mod delegated.c: re-enabled AF_UNIX on Solaris (3.0.35)
9.4.0 061024 fix nbio.c: fixed connect() with timeout to wotk with AF_UNIX
9.4.0 061022 new sendFd1.c: sending a file descriptor via AF_UNIX socket
9.4.0 061022 fix inets.c: repaired AF_UNIX + UDP to work (since 9.0.0 for IPv6)
9.4.0 061022 mod {vaddr,vsocket}.h: expanded VSAddr from 32B to 128 for AF_UNIX
--