lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 25 May 2014 09:50:08 -0700 From: Andy Lutomirski <luto@...capital.net> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: "Jorge Boncompte [DTI2]" <jorge@...2.net>, Jiri Benc <jbenc@...hat.com>, David Miller <davem@...emloft.net>, Vivek Goyal <vgoyal@...hat.com>, Simo Sorce <ssorce@...hat.com>, "security@...nel.org" <security@...nel.org>, Network Development <netdev@...r.kernel.org>, "Serge E. Hallyn" <serge@...lyn.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Michael Kerrisk-manpages <mtk.manpages@...il.com> Subject: Re: [RFC][PATCH] netlink: Only check file credentials for implicit destinations On Sat, May 24, 2014 at 10:38 PM, Eric W. Biederman <ebiederm@...ssion.com> wrote: > > It was possible to get a setuid root or setcap executable to write to > it's stdout or stderr (which has been set made a netlink socket) and > inadvertently reconfigure the networking stack. > > To prevent this we check that both the creator of the socket and > the currentl applications has permission to reconfigure the network > stack. > > Unfortunately this breaks Zebra which always uses sendto/sendmsg > and creates it's socket without any privileges. > > To keep Zebra working don't bother checking if the creator of the > socket has privilege when a destination address is specified. Instead > rely exclusively on the privileges of the sender of the socket. > Cute. > + NETLINK_SKB_DST = 0x8, /* Packet not socket destination */ How about "sendto/sendmsg with explicit destination" Whatever we settle on, I think this'll need to end up in the man pages. Cc: Michael Kerrisk. I hereby volunteer to write something up. Michael, for background: Pre-linux-3.15, sending netlink messages to the kernel checked the credentials of the sender. This is a security bug: the sender might be a setuid-root program with stdout or stderr redirected to a netlink socket (or an SCM_RIGHTS user, etc). The proposal in this patch is that doing privileged things using a netlink socket will require the sender to have capabilities and (either sendto/sendmsg with an explicit destination or a connected socket that was created by a privileged user). This is still not great from a security POV: if you can get a hold of a privileged socket (i.e. a socket created with CAP_NET_ADMIN available), then you can connect it and try to attack the kernel. This issue would go away if we hooked netlink_connect. I can try writing up that version of the patch tomorrow. --Andy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists