| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Dec 2011 23:11:49 +0000 From: "Serge E. Hallyn" <serge@...lyn.com> To: Colin Walters <walters@...bum.org> Cc: LKML <linux-kernel@...r.kernel.org>, alan@...rguk.ukuu.org.uk, morgan@...nel.org, "Eric W. Biederman" <ebiederm@...ssion.com>, luto@....edu, kzak@...hat.com, Steve Grubb <sgrubb@...hat.com> Subject: Re: chroot(2) and bind mounts as non-root Quoting Colin Walters (walters@...bum.org): > But it was pretty trivial to modify my tool to make a MS_NOSUID bind > mount over /: > > mount (NULL, "/", "none", MS_PRIVATE | MS_REMOUNT | MS_NOSUID, > NULL); > > That's hopefully enough to plug that hole (right?), albeit not in a Heh, yeah I think that suffices :) ... > Looks to me like the MS_NOSUID bind mount prevents acquisition of file > capabilities too. Yup. > I experimented with dropping all capabilities from the capability > bounding set, but the API seems a bit lame in that CAP_LAST_CAP is > encoded in the kernel capability.h, but if an old binary is run on a new > kernel, I might silently fail to drop a newly added capability. Right? Look at the cap_get_bound.3 manpage, and look for CAP_IS_SUPPORTED. If you start at CAP_LAST_CAP and keep going up/down depending on whether it was support or not it shouldn't take too long to find the last valid value. Not ideal, but should be reliable. > Steve Grubb's "libcap-ng" appears to not handle this scenario at all; > Steve, am I missing something? > > Anyways, in the big picture here I think this tool is now pretty safe to > install suid root, since we rely on MS_NOSUID to close all privilege I haven't taken a critical look at the mount code but other than that it seems reasonable and useful to me! Thanks. > escalation mechanisms today from plugging in a USB drive, which is > effectively "user controls arbitrary filesystem layout". > > But getting in Eric's patch for disabling suid binaries from a process > tree would be really nice. Alan, do you still object? Your main issue > seemed to be that it should be in a LSM, but the suid issue does span > existing LSMs. And as far as adding restrictions introduces new attack > vectors, pretty much all of those are abusing suid binaries, precisely > what we just want to axe off entirely. -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists