| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 May 2011 11:43:26 -0700 From: Casey Schaufler <casey@...aufler-ca.com> To: Steven Rostedt <rostedt@...dmis.org> CC: Linus Torvalds <torvalds@...ux-foundation.org>, Will Drewry <wad@...omium.org>, Colin Walters <walters@...bum.org>, Kees Cook <kees.cook@...onical.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...e.hu>, Peter Zijlstra <peterz@...radead.org>, linux-kernel@...r.kernel.org, James Morris <jmorris@...ei.org> Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering On 5/26/2011 10:07 AM, Steven Rostedt wrote: > On Thu, 2011-05-26 at 09:46 -0700, Linus Torvalds wrote: > >> And if you filter system calls, it's entirely possible that you can >> attack suid executables through such a vector. Your "limit system >> calls for security" security suddenly turned into "avoid the system >> call that made things secure"! >> >> See what I'm saying? > So you are not complaining about this implementation, but the use of > syscall filtering? > > There may be some user that says, "oh I don't want my other apps to be > able to call setuid" thinking it will secure their application even > more. But because that application did the brain dead thing to not check > the return code of setuid, and it just happened to be running > privileged, it then execs off another application that can root the box. > > Because, originally that setuid would have succeeded if the user did > nothing special, but now with this filtering, and the user thinking that > they could limit their app from doing harm, they just opened up a hole > that caused their app to do the exact opposite and give the exec'd app > full root privileges. > > Did I get this right? Yes. Some system calls are there so that you can turn off privilege. There was a major exploit with sendmail when capabilities were first introduced that brought the potential for this sort of problem into the public eye. Kernel mechanisms intended to provide additional security have to be massively careful about the impact they may have on applications that are currently security aware and that make use of the existing mechanisms. The ACL mechanism is much more complicated than it probably ought to be to accommodate chmod() and capabilities go way over the top to deal with traditional root behavior. > -- Steve > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists