| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Dec 2009 16:33:52 -0500 From: Bryan Donlan <bdonlan@...il.com> To: Pavel Machek <pavel@....cz> Cc: Valdis.Kletnieks@...edu, Michael Stone <michael@...top.org>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, linux-security-module@...r.kernel.org, Andi Kleen <andi@...stfloor.org>, David Lang <david@...g.hm>, Oliver Hartkopp <socketcan@...tkopp.net>, Alan Cox <alan@...rguk.ukuu.org.uk>, Herbert Xu <herbert@...dor.apana.org.au>, Evgeniy Polyakov <zbr@...emap.net>, "C. Scott Ananian" <cscott@...ott.net>, James Morris <jmorris@...ei.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, Bernie Innocenti <bernie@...ewiz.org>, Mark Seaborn <mrs@...hic-beasts.com>, Randy Dunlap <randy.dunlap@...cle.com>, "Am?rico Wang" <xiyou.wangcong@...il.com>, Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>, Samir Bellabes <sam@...ack.fr>, Casey Schaufler <casey@...aufler-ca.com>, "Serge E. Hallyn" <serue@...ibm.com> Subject: Re: RFC: disablenetwork facility. (v4) On Mon, Dec 28, 2009 at 3:55 PM, Pavel Machek <pavel@....cz> wrote: > On Mon 2009-12-28 09:37:24, Valdis.Kletnieks@...edu wrote: >> On Mon, 28 Dec 2009 11:10:06 +0100, Pavel Machek said: >> >> > a) make disablenetwork reset to "enablenetwork" during setuid exec >> >> That won't work either. If you only make it 'setuid==0' binaries, you still >> break 'setuid-FOO' binaries that require the net. If you just check the setuid >> bit, it allows a trivial escape by creating a setuid-yourself binary and using >> that to exec something else (now with network access, because we apparently >> don't have a way to remember the previous setting). > > > it is really only required for binaries setuid to someone else, but > that would be too ugly. (Plus, as someone said, ping is great for > leaking data out.) No, this is not sufficient; one needs only to find a setuid process that can be convinced to run a program with the original (pre-suid) privileges. For example, one could invoke gpg (older versions setuid so it can lock memory, executes user code for the passphrase input agent) or pulseaudio (in some cases setuid to go realtime, loads user plugins) or screen (setuid for sharing sessions, obviously executes user programs) or at/cron (did you remember to deny access to these?) ... Or one can target a non-root setuid program that may have security holes - how about nethack? While in modern distros these uses of setuid may be rare, they can exist, and under the old security model they were safe. Not so anymore. As such, re-enabling network access upon executing a setuid program is not acceptable. That said, I do feel this is a separate issue. The process should first drop its ability to suid; then it can freely apply additional restrictions without there being any risk of breaking setuid applications. In short, how does this sound: * Add an API to allow processes to permanently revoke their own ability to gain privileges from setuid-exec * Add this disablenetwork facility, conditional on dropping setuid-exec abilities This also paves the way for: * Allow processes that have dropped said suid ability to freely create new namespaces (and chroot) Which, combined with doing whatever audits are necessary to allow cross-network-namespace uses of unix domain sockets, actually eliminates the need for the disablenetwork API. :) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists