| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <874n0ds9sk.fsf@x220.int.ebiederm.org> Date: Sun, 25 May 2014 16:44:43 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: Andy Lutomirski <luto@...capital.net> Cc: "Jorge Boncompte \[DTI2\]" <jorge@...2.net>, Jiri Benc <jbenc@...hat.com>, David Miller <davem@...emloft.net>, Vivek Goyal <vgoyal@...hat.com>, Simo Sorce <ssorce@...hat.com>, "security\@kernel.org" <security@...nel.org>, Network Development <netdev@...r.kernel.org>, "Serge E. Hallyn" <serge@...lyn.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Michael Kerrisk-manpages <mtk.manpages@...il.com> Subject: Re: [RFC][PATCH] netlink: Only check file credentials for implicit destinations Andy Lutomirski <luto@...capital.net> writes: > On Sat, May 24, 2014 at 10:38 PM, Eric W. Biederman > <ebiederm@...ssion.com> wrote: >> >> It was possible to get a setuid root or setcap executable to write to >> it's stdout or stderr (which has been set made a netlink socket) and >> inadvertently reconfigure the networking stack. >> >> To prevent this we check that both the creator of the socket and >> the currentl applications has permission to reconfigure the network >> stack. >> >> Unfortunately this breaks Zebra which always uses sendto/sendmsg >> and creates it's socket without any privileges. >> >> To keep Zebra working don't bother checking if the creator of the >> socket has privilege when a destination address is specified. Instead >> rely exclusively on the privileges of the sender of the socket. >> > > Cute. > >> + NETLINK_SKB_DST = 0x8, /* Packet not socket destination */ > > How about "sendto/sendmsg with explicit destination" That is a better comment. > Whatever we settle on, I think this'll need to end up in the man > pages. Cc: Michael Kerrisk. I hereby volunteer to write something > up. > > Michael, for background: Pre-linux-3.15, sending netlink messages to > the kernel checked the credentials of the sender. This is a security > bug: the sender might be a setuid-root program with stdout or stderr > redirected to a netlink socket (or an SCM_RIGHTS user, etc). > > The proposal in this patch is that doing privileged things using a > netlink socket will require the sender to have capabilities and > (either sendto/sendmsg with an explicit destination or a connected > socket that was created by a privileged user). > > This is still not great from a security POV: if you can get a hold of > a privileged socket (i.e. a socket created with CAP_NET_ADMIN > available), then you can connect it and try to attack the kernel. > This issue would go away if we hooked netlink_connect. I can try > writing up that version of the patch tomorrow. The really important part technically is skipping the socket based check in sendto and sendmsg as I have done, as it fixes the one known regression, and yields comprehensible semantics. But I agree that since connect on sockets is really the equivalent of open on files, and unprivileged users can change where a socket is connected to, using a struct cred captured at connect() time is better than the struct cred captured at socket() time. Eric -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists