| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 Nov 2015 12:05:58 -0600 From: "Serge E. Hallyn" <serge@...lyn.com> To: Casey Schaufler <casey@...aufler-ca.com> Cc: Theodore Ts'o <tytso@....edu>, Klaus Ethgen <Klaus+lkml@...gen.de>, "Serge E. Hallyn" <serge@...lyn.com>, Andy Lutomirski <luto@...capital.net>, Linus Torvalds <torvalds@...ux-foundation.org>, Richard Weinberger <richard.weinberger@...il.com>, LKML <linux-kernel@...r.kernel.org>, Christoph Lameter <cl@...ux.com>, Andy Lutomirski <luto@...nel.org>, Serge Hallyn <serge.hallyn@...ntu.com>, Kees Cook <keescook@...omium.org>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: Kernel 4.3 breaks security in systems using capabilities On Fri, Nov 06, 2015 at 09:51:15AM -0800, Casey Schaufler wrote: > On 11/6/2015 7:53 AM, Theodore Ts'o wrote: > > On Fri, Nov 06, 2015 at 02:58:36PM +0100, Klaus Ethgen wrote: > >> But that left out completely the, I think more important, usecase of > >> _removing_ SUID completely and _replacing_ it with very tight capability > >> setting. And that is what I always talked about. > > I don't believe this is ever going to be possible. And I'm not > > talking about it from a technical perspective, but from a practical > > and cultural perspective. > > There have been rootless systems (e.g. Trusted Irix) in the past. > They sold to a very restricted market and were never widely adopted. > The inevitable first question from the admins was > > "How do I get *real* root?" Ok, but there's a difference between not supporting a real root login at all, and having most or all regular system services working without it. ffs, ping is still often setuid-root. > I agree that culturally it's a hard sell. Once someone gets a taste > for privilege it's tough to get them to give it up. It's a major > problem even in embedded systems, where people are still doing development > in a root shell. > > I was on the POSIX group that defined capabilities. I hate to > say it, but the evidence is that we failed. We've had capabilities > in the kernel for how long? If we haven't been able to make the > transition away from root by now, maybe it's time to reexamine the Several times we've discussed why - for instance after Ted's indicting LSS keynote. There have been some very pedestrian reasons why. The two sadest but also hardest to overcome ones were lack of xattr support in some filesystems, and in some packaging systems. The fact that, as a distro, you have to support use of packages without support for xattrs means you always have to still add the setuid bit, and if you have to do that, it's really better to *only* but cleanly support setuid. And so ping is setuid-root. And we've actually made things worse for now, because you cannot write xattrs froma user namespace. So many default containers, again, cannot use file capabilities unless the host admin installs the packages. (I do plan to write patch to fix that, but hasn't been done that) The other problem is imo there needs to be a better support system for projects which want to switch. That's why I'm really thinking we should have a mailing list dedicated to helping projects properly design their use of capabilities (or nnp or setresuid, probably) Another possible reason would be that it is not portable. If that's holding people back, then that feels like a reason to just replace the whole shebang with something like capsicum. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists