lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150130210426.GA2487@jtriplet-mobl1>
Date:	Fri, 30 Jan 2015 13:04:28 -0800
From:	Josh Triplett <josh@...htriplett.org>
To:	Casey Schaufler <casey@...aufler-ca.com>
Cc:	Iulia Manda <iulia.manda21@...il.com>, gnomes@...rguk.ukuu.org.uk,
	serge.hallyn@...onical.com, linux-kernel@...r.kernel.org,
	akpm@...ux-foundation.org, paulmck@...ux.vnet.ibm.com,
	peterz@...radead.org, mhocko@...e.cz,
	LSM <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH v2] kernel: Conditionally support non-root users, groups
 and capabilities

On Thu, Jan 29, 2015 at 06:05:53PM -0800, Casey Schaufler wrote:
> On 1/29/2015 4:43 PM, josh@...htriplett.org wrote:
> > On Thu, Jan 29, 2015 at 03:44:46PM -0800, Casey Schaufler wrote:
> >> On 1/29/2015 10:43 AM, Iulia Manda wrote:
> >>> There are a lot of embedded systems that run most or all of their functionality
> >>> in init, running as root:root. For these systems, supporting multiple users is
> >>> not necessary.
> >>>
> >>> This patch adds a new symbol, CONFIG_NON_ROOT, that makes support for non-root
> >>> users, non-root groups, and capabilities optional.
> >>>
> >>> When this symbol is not defined, UID and GID are zero in any possible case
> >>> and processes always have all capabilities.
> >>>
> >>> The following syscalls are compiled out: setuid, setregid, setgid,
> >>> setreuid, setresuid, getresuid, setresgid, getresgid, setgroups, getgroups,
> >>> setfsuid, setfsgid, capget, capset.
> >>>
> >>> Also, groups.c is compiled out completely.
> >>>
> >>> This change saves about 25 KB on a defconfig build.
> >>>
> >>> The kernel was booted in Qemu. All the common functionalities work. Adding
> >>> users/groups is not possible, failing with -ENOSYS.
> >>>
> >>> Bloat-o-meter output:
> >>> add/remove: 7/87 grow/shrink: 19/397 up/down: 1675/-26325 (-24650)
> >>>
> >>> Signed-off-by: Iulia Manda <iulia.manda21@...il.com>
> >>> Reviewed-by: Josh Triplett <josh@...htriplett.org>
> >> v2 does nothing to address the longstanding position of
> >> the community that disabling the traditional user based
> >> access controls is unacceptable. 
> > So far that "longstanding position" consists of you griping that we're
> > not implementing authoritative LSM hooks for you and re-fighting that
> > battle for you.  Patches for authoritative LSM hooks did indeed get
> > refused long ago, which is an excellent reason for us to not recast this
> > patch to reimplement them that way.
> 
> The reason for bringing up authoritative hooks is that they allowed for
> a configuration like the one you have implemented. That fact was presented
> as an important reason why authoritative hooks could not be allowed.
> The point is not that I wanted authoritative hooks. The point is that the
> community opposed the very configuration you have implemented. I mention
> the authoritative hooks argument because that's where the issue was discussed.

I recall those same discussions when they happened; the portions of the
discussion I saw were less concerned about the ability to turn *off* the
security model, and more concerned that you could entirely *replace* the
UNIX security model with something more complex that could grant
permissions where you thought you'd denied them.

Referencing one of the mails from that discussion
(http://lwn.net/2001/1108/a/cs-hooks.php3 , which for the record I
entirely agree with your position and arguments in), the three concerns
expressed against authoritative LSM hooks were:
>    1. It is more invasive.
>    2. It increases the likelihood that modules can accidentally
>       undermine the base logic.
>    3. It increases the likelihood that the LSM patch will introduce an
>       error into the base kernel.

1) This patch is far less invasive.
2) There's no "accidentally" here; this is a config option to
   *intentionally* turn off the base logic.
3) Again, this patch is much simpler, single-purpose, and easier to
   review.

So, by all means, let's have this discussion again, but let's not frame
it in the context of authoritative versus restrictive LSM hooks, which
is an entirely different argument.

> > If it does turn out that the security maintainers in the kernel are open
> > to the idea of authoritative LSM hooks, by all means I would encourage
> > you to revisit such hooks.  But there's a significant difference between
> > "add the ability to disable access controls" and "add a framework that
> > allows replacing the user/group security model with arbitrary access
> > controls", and it's not at all obvious that the "right" solution for the
> > former is an implementation of the latter; it also seems entirely
> > plausible that the kernel community remains opposed to the latter, which
> > does not necessarily rule out the former.
> 
> My concern is that you've got a very specific configuration that is going
> to have all sort of application compatibility problems. I'm all for that
> as an experimental environment, but I don't think it's anywhere near ready
> or perhaps appropriate for upstream.

This is a configuration option in the middle of the "potential
application compatibility problems" menu, also known as CONFIG_EXPERT.
Any and all options there can and will disable parts of core kernel
functionality.  This option is intended to support purpose-built
applications that know full well what they're getting themselves into by
turning it off.

> > Given that, it would be helpful to hear feedback from more of the
> > community.
> 
> Oh, I agree. I would also be curious about the user-space environment
> you hope to support with this kernel.

We've successfully booted kernels and simple userspaces with this patch
in qemu.  The userspace environment for this kind of kernel would
typically have init=/application, little to no filesystem, likely a
read-only filesystem if any, and reboot-on-panic as an application
supervision mechanism.

> >> Speaking of the LSM, what is your expectation regarding the
> >> use of security modules in addition to "NON_ROOT"? Is it
> >> forbidden, allowed or encouraged?
> > I would expect that any security module would need to depend on NON_ROOT
> > (or MULTIUSER as v3 may end up calling it, per Geert Uytterhoeven's
> > suggestion).  A kernel configuration with this option turned off
> > intentionally does not *have* user/group access controls.  The intent of
> > this option isn't "turn standard access controls off so they get out of
> > the way of non-standard access controls"; the intent is "turn all access
> > controls off because there will never be unprivileged processes on this
> > system". 
> 
> Pretty limiting, and completely inappropriate for any system that
> gets connected as a part of the Internet of Things. So I'm back to
> thinking that while this may be a fun experiment, it doesn't belong
> as a supported upstream configuration. I hate thinking of Ubuntu running
> on top of this kernel, but someone will want to try it, you can bet.

I would hate to see that too.  Distributions know better than to enable
this kind of option in a distro kernel; give them a little credit.  So,
someone using this option will have to manually build a kernel with this
option intentionally disabled.  This option isn't a loaded and
pre-pointed footgun; it would take non-trivial effort to shoot yourself
in the foot with it.

And, in fact, any normal distribution will fail to work out of the box
with this option disabled, making it even more difficult to misuse.  If
you could switch to another user ID, but then that user ID was still
root-equivalent, that would be quite dangerous; here, any attempt to
switch to a non-root user ID (or group ID, or reduced set of
capabilities) will fail up front with ENOSYS.

- Josh Triplett
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ