| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Jan 2012 13:04:21 -0800 From: Andrew Lutomirski <luto@....edu> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Jamie Lokier <jamie@...reable.org>, Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org, keescook@...omium.org, john.johansen@...onical.com, serge.hallyn@...onical.com, coreyb@...ux.vnet.ibm.com, pmoore@...hat.com, eparis@...hat.com, djm@...drot.org, segoon@...nwall.com, rostedt@...dmis.org, jmorris@...ei.org, scarybeasts@...il.com, avi@...hat.com, penberg@...helsinki.fi, viro@...iv.linux.org.uk, mingo@...e.hu, akpm@...ux-foundation.org, khilman@...com, borislav.petkov@....com, amwang@...hat.com, oleg@...hat.com, ak@...ux.intel.com, eric.dumazet@...il.com, gregkh@...e.de, dhowells@...hat.com, daniel.lezcano@...e.fr, linux-fsdevel@...r.kernel.org, linux-security-module@...r.kernel.org, olofj@...omium.org, mhalcrow@...gle.com, dlaor@...hat.com, corbet@....net, alan@...rguk.ukuu.org.uk Subject: Re: [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch On Sat, Jan 14, 2012 at 12:22 PM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > > We've had security bugs that were *due* to dropped capabilities - > people dropped one capability but not another, and fooled code into > doing things they weren't expecting it to do. So quite frankly, I > believe that from a security standpoint it's a hell of a lot safer to > just keep the rules really simple. > Which is the point of this patch. If suid/sgid/file caps/LSM transitions are disabled, you can't exploit thinks like sendmail because they don't have any special privileges to exploit. > > Does "dropping" mean allowing setuid(geteuid()) for example? That *is* > dropping the uid in a _POSIX_SAVED_IDS environment. And I'm saying > that no, we should not even allow that. It's simply all too "subtle". > > (I don't think Andrew's patch actually touched any of those paths, but > I didn't check) Correct. I did not touch any of these paths. I think that's the right choice for at least three reasons: 1. If there's an exploit that does PR_SET_NO_NEW_CAPS, then setuid/capset/whatever, then runs something and exploits it, it is likely to work just as will if setuid/capset is called before PR_SET_NO_NEW_CAPS. 2. Even if I made that change, it wouldn't help. You can always simulate dropping capabilities with LD_PRELOAD or something like seccomp mode 2. The secure exec stuff that happens when you execve something with the setuid bit set won't prevent it because the setuid bit is *disabled* in this mode. (Again, there is no exploit here -- there are no new privileges to steal.) 3. Simplicity. It would be easy to miss something subtle. There's the dumpable bit and however it interacts with ptrace (especially on Ubuntu, which seems to have a patched kernel with different rules), there's capset, there's file capabilities (which can, I think, drop capabilities as well as adding them), there's cap_bset, securebits, etc. Leaving them all alone means I don't need to worry about bitrot or about missing one. I'm tempted to submit a followup patch to allow unprivileged users to use some of the sys_unshare modes if no_new_privs is set so we can have an example use case. CLONE_NEWIPC, CLONE_SYSVSEM, and CLONE_NEWUTS would be a decent start, I think, and the patch would be trivial. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists