| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 Nov 2015 18:56:20 +0100 From: Klaus Ethgen <Klaus+lkml@...gen.de> To: Theodore Ts'o <tytso@....edu>, "Serge E. Hallyn" <serge@...lyn.com>, Andy Lutomirski <luto@...capital.net>, Linus Torvalds <torvalds@...ux-foundation.org>, Richard Weinberger <richard.weinberger@...il.com>, LKML <linux-kernel@...r.kernel.org>, Christoph Lameter <cl@...ux.com>, Andy Lutomirski <luto@...nel.org>, Serge Hallyn <serge.hallyn@...ntu.com>, Kees Cook <keescook@...omium.org>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: Kernel 4.3 breaks security in systems using capabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Am Fr den 6. Nov 2015 um 16:53 schrieb Theodore Ts'o: > On Fri, Nov 06, 2015 at 02:58:36PM +0100, Klaus Ethgen wrote: > > But that left out completely the, I think more important, usecase of > > _removing_ SUID completely and _replacing_ it with very tight capability > > setting. And that is what I always talked about. > > I don't believe this is ever going to be possible. And I'm not > talking about it from a technical perspective, but from a practical > and cultural perspective. > > The problem with removing SUID and inheritance completely is that you > have to anticipate all possible use cases where a system administrator > might want to use a root shell. This means analyzing all possible use > cases for all possible system administrators how they might need to > use a root shell to fix or management a system, That is not my interest at all. I wan't to get rid of all the SUID _binaries_ that are used by _normal_ users. (And me counting as normal user in the most time too.) I do not want to remove root or something like that. For that task, capabilities is definitively the wrong tool. > and then either (a) > provide a new, specialized tool that solves that particular use case, > while respecting the rules of least privilege, or (b) figure out how > to expand that executable's fI mask, and worse, if that executable > fork and exec's helper programs, those helper programs will need to > have expanded fI masks. And that's if all of the commands that a > system administrator needs to run are compiled executables. Now > consider what happens when a system administrator needs to run python, > perl, or shell scripts with elevated privileges. Independent of, that I do not want to address this, I never want to have a shell (sh, perl, python, ruby, ...) in such a construct. > In the light of that, using things like ambient capabilities, or using > setuid binary that immediately drops all caps that it needs, is > probably the best we're going to get. I do never want that! Even to think about such a way to give any shell raised rights is horrible! And that horrible idea is it that makes all the ambient capabilities that bad. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@...gen.de> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJWPOm+AAoJEKZ8CrGAGfaseE0L+gKhc7DLjkcfVMtYQHFpxTTt C/12GrwxUl+rumO+FPlFhuRBFwFFpLk4BNul6M7MeIJcV8DjDGDTWeRV30/0+gpA qzxpC5lHeNxdgpvom9/wcHEDHXSmZ134zDRcbHVvfn9VGOSi/aZcBvK3Cl5UJPsI vOXbiVeFFRYISEWyoAt9FV/w8z4xFdd6yFZHlZ33mX/FaUNk2Rtdlpwe+lPq6CgO f1mrC4AANY2Hl0sAtoeBhHcscE6lUIujs1katxCwdG5BHSVjaWbvbnLtyKgC6XoN ttoq+jTCsUVo0k3Aae4s6zgfPt3LfrT8ymwlNRNgimD1jq10yM8hsPPXTr9yqvhj VNp+OqozuGvqLoMQApvR3mV0AujBruLmC8g7xMrpmubrQzp+96rUXj82YYtCC9/l ++zTsz5Ik8G/rW/AevDWow0HilaNnqMZeNXevjKNiUK/jGhL1S+4I0bh+PbKrjqc bqC/WDhcimkle5sGH9q6NeQBAsC7mRTsgKOULCVnEw== =9dzb -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists