| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 May 2014 10:38:43 +0200 From: "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com> To: Andy Lutomirski <luto@...capital.net>, "Eric W. Biederman" <ebiederm@...ssion.com> CC: mtk.manpages@...il.com, "Jorge Boncompte [DTI2]" <jorge@...2.net>, Jiri Benc <jbenc@...hat.com>, David Miller <davem@...emloft.net>, Vivek Goyal <vgoyal@...hat.com>, Simo Sorce <ssorce@...hat.com>, "security@...nel.org" <security@...nel.org>, Network Development <netdev@...r.kernel.org>, "Serge E. Hallyn" <serge@...lyn.com>, Linus Torvalds <torvalds@...ux-foundation.org> Subject: Re: [RFC][PATCH] netlink: Only check file credentials for implicit destinations On 05/25/2014 06:50 PM, Andy Lutomirski wrote: > On Sat, May 24, 2014 at 10:38 PM, Eric W. Biederman > <ebiederm@...ssion.com> wrote: >> >> It was possible to get a setuid root or setcap executable to write to >> it's stdout or stderr (which has been set made a netlink socket) and >> inadvertently reconfigure the networking stack. >> >> To prevent this we check that both the creator of the socket and >> the currentl applications has permission to reconfigure the network >> stack. >> >> Unfortunately this breaks Zebra which always uses sendto/sendmsg >> and creates it's socket without any privileges. >> >> To keep Zebra working don't bother checking if the creator of the >> socket has privilege when a destination address is specified. Instead >> rely exclusively on the privileges of the sender of the socket. >> > > Cute. > >> + NETLINK_SKB_DST = 0x8, /* Packet not socket destination */ > > How about "sendto/sendmsg with explicit destination" > > Whatever we settle on, I think this'll need to end up in the man > pages. Cc: Michael Kerrisk. I hereby volunteer to write something > up. > > Michael, for background: Pre-linux-3.15, sending netlink messages to > the kernel checked the credentials of the sender. This is a security > bug: the sender might be a setuid-root program with stdout or stderr > redirected to a netlink socket (or an SCM_RIGHTS user, etc). Andy, thanks for putting your hand-up, and thanks especially for paragraph of background. (Too often, I get CCed into a thread with the implication that something needs to be fixed in man-pages without any explanation of what or why.) Cheers, Michael > The proposal in this patch is that doing privileged things using a > netlink socket will require the sender to have capabilities and > (either sendto/sendmsg with an explicit destination or a connected > socket that was created by a privileged user). > > This is still not great from a security POV: if you can get a hold of > a privileged socket (i.e. a socket created with CAP_NET_ADMIN > available), then you can connect it and try to attack the kernel. > This issue would go away if we hooked netlink_connect. I can try > writing up that version of the patch tomorrow. > > --Andy > -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists