lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1398462180.7767.211.camel@deadeye.wl.decadent.org.uk>
Date:	Fri, 25 Apr 2014 22:43:00 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Lorenzo Colitti <lorenzo@...gle.com>
Cc:	Florian Westphal <fw@...len.de>, netdev <netdev@...r.kernel.org>,
	Vasiliy Kulikov <segoon@...nwall.com>
Subject: Re: [RFC][PATCH] IP: Make ping sockets optional

On Fri, 2014-04-25 at 19:37 +0900, Lorenzo Colitti wrote:
> On Fri, Apr 25, 2014 at 1:37 AM, Hannes Frederic Sowa
> <hannes@...essinduktion.org> wrote:
> > The origins of this interface are in the openwall project. I assume
> > embedded devices were not that high up on their agenda.
> 
> One of the original discussion threads I posted above has a link to a
> lengthy discussion on why the original designers of this code thought
> capabilities were not a good idea from a security standpoint.

Well, the use of gids for access control to global resources fits into
Android's security model very nicely.  I think it's quite unsuitable for
most other distributions.

> > We absolutely cannot abandon the interface as it already is in use by
> > android, as Lorenzo stated.
> 
> Well, the fact that it's in use by Android doesn't mean it can't be
> made optional - Android can just turn the feature on in their kernels.
> It would be unfortunate if it were to be removed entirely.

Which I'm not proposing at all.

> > Will android switch to file based capabilities
> > in some time? Is that possible?
> 
> I think Android does support file capabilities. But this socket type
> is not just for the ping binary. The fact that this socket type is
> available to any binary allows any application developer to write an
> app that can send ping packets. That seems like a useful capability
> for a diagnostic app.
>
> On the other hand, it seems to me that giving that same diagnostic app
> CAP_NET_RAW would be unacceptable from a security point of view since
> that app would now be able to sniff all traffic on the system, with
> obvious privacy implications. There are also the usual security
> concerns such as what if an exploit is discovered in the ping binary,
> etc. etc.
> 
> What's the problem with this code? Is it just the 10KB in size?

It's 10K of code to do a very simple job... which is then disabled, so
that it's complete dead weight in most distributions.  (And it turned
out to open a new security hole for those that did enable it.)

As it happens, though, I just had to drop Debian's ixp4xx kernel due to
size limitations, and disabling ping sockets would fix that at least in
the short term.

Ben.

-- 
Ben Hutchings
Beware of programmers who carry screwdrivers. - Leonard Brandwein

Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ