Hate to interrupt the tty1 vs tty7 debate but...

We have kernel support for storing capabilities on filesystem since 2.6.24
and recent libcap, both in F9 already. I just committed file capability
support to rpm.org HEAD, filling in the final(?) missing piece.
Capability support is not going to be in rpm 4.6.0 but no reason they
can't be pulled into 4.6.1 which is easily in F11 timeframe.


Are we ready to start considering moving away from SUID bits to
capabilities, in Fedora 11 maybe?


- Panu -

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wednesday, 29 October 2008 at 11:37, Panu Matilainen wrote:
>
> Hate to interrupt the tty1 vs tty7 debate but...
>
> We have kernel support for storing capabilities on filesystem since 2.6.24
> and recent libcap, both in F9 already. I just committed file capability
> support to rpm.org HEAD, filling in the final(?) missing piece.
> Capability support is not going to be in rpm 4.6.0 but no reason they
> can't be pulled into 4.6.1 which is easily in F11 timeframe.
>
> Are we ready to start considering moving away from SUID bits to
> capabilities, in Fedora 11 maybe?

Make it a feature: https://fedoraproject.org/wiki/Features/Policy

Regards,
R.

--
Fedora http://fedoraproject.org/wiki/User:Rathann
RPMFusion http://rpmfusion.org | MPlayer http://mplayerhq.hu
"Faith manages."
-- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wed, 2008-10-29 at 12:37 +0200, Panu Matilainen wrote:
> Hate to interrupt the tty1 vs tty7 debate but...
>
> We have kernel support for storing capabilities on filesystem since 2.6.24
> and recent libcap, both in F9 already. I just committed file capability
> support to rpm.org HEAD, filling in the final(?) missing piece.
> Capability support is not going to be in rpm 4.6.0 but no reason they
> can't be pulled into 4.6.1 which is easily in F11 timeframe.
>
> Are we ready to start considering moving away from SUID bits to
> capabilities, in Fedora 11 maybe?

How does that mesh with networked file systems (nfs, samba)?

-sv


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Oct 29, 2008, at 5:37 AM, Panu Matilainen wrote:



Hate to interrupt the tty1 vs tty7 debate but...

We have kernel support for storing capabilities on filesystem since
2.6.24 and recent libcap, both in F9 already. I just committed file
capability support to rpm.org HEAD, filling in the final(?) missing
piece. Capability support is not going to be in rpm 4.6.0 but no
reason they can't be pulled into 4.6.1 which is easily in F11
timeframe.


Are we ready to start considering moving away from SUID bits to
capabilities, in Fedora 11 maybe?


Not until this bug is fixed

prelink erases file-based capabilities

https://bugzilla.redhat.com/show_bug.cgi?id=456105

joe

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Panu Matilainen wrote, at 10/29/2008 07:37 PM +9:00:


Hate to interrupt the tty1 vs tty7 debate but...

We have kernel support for storing capabilities on filesystem since
2.6.24 and recent libcap, both in F9 already. I just committed file
capability support to rpm.org HEAD, filling in the final(?) missing
piece. Capability support is not going to be in rpm 4.6.0 but no reason
they can't be pulled into 4.6.1 which is easily in F11 timeframe.


Are we ready to start considering moving away from SUID bits to
capabilities, in Fedora 11 maybe?




For reference, one of them problems we met is:
https://bugzilla.redhat.com/show_bug.cgi?id=455713

Regards,
Mamoru

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wed, Oct 29, 2008 at 07:27:51AM -0500, Joe Nall wrote:
> Not until this bug is fixed
> prelink erases file-based capabilities
> https://bugzilla.redhat.com/show_bug.cgi?id=456105

>From Jakub's 2004 paper on prelink, I see that it saves 1-2 seconds in
startup time for openoffice swriter. Half a second or less on kword,
konqueror, evolution, and epiphany. As computers get faster, prelink will
still save relative time, but the absolute difference will become less and
less perceptible. I know a second here and there adds up, but given the
downsides, sooner or later prelink should be revisited.


--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect
Cyberinfrastructure Labs
Computing & Information Technology
Harvard School of Engineering & Applied Sciences

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wed, Oct 29, 2008 at 6:37 AM, Panu Matilainen
<pmatilai@laiskiainen.org> wrote:
>
> Hate to interrupt the tty1 vs tty7 debate but...
>
> We have kernel support for storing capabilities on filesystem since 2.6.24
> and recent libcap, both in F9 already. I just committed file capability
> support to rpm.org HEAD, filling in the final(?) missing piece. Capability
> support is not going to be in rpm 4.6.0 but no reason they can't be pulled
> into 4.6.1 which is easily in F11 timeframe.
>
> Are we ready to start considering moving away from SUID bits to
> capabilities, in Fedora 11 maybe?

Note that from the desktop direction we've been moving the OS away
from exec-based domain transitions to message passing (e.g. PolicyKit)
for a variety of reasons. I think it might be worth considering
introducing a rule actually in Fedora for "no new SUID/fcap binaries",
or at least they would have to pass some sort of robust review
process.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wed, Oct 29, 2008 at 8:53 AM, Colin Walters
> Note that from the desktop direction we've been moving the OS away
> from exec-based domain transitions to message passing (e.g. PolicyKit)
> for a variety of reasons. I think it might be worth considering
> introducing a rule actually in Fedora for "no new SUID/fcap binaries",
> or at least they would have to pass some sort of robust review
> process.


I think I like that idea. As part of that is there a way we could get
a comprehensive list of the suid binaries we currently carry that
would be grandfather'd in? So we can know how concerted extra effort
would need to be done to help existing packages come into compliance?

-jef

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wednesday 29 October 2008 06:37:32 Panu Matilainen wrote:
> We have kernel support for storing capabilities on filesystem since 2.6.24
> and recent libcap, both in F9 already.

And we have also been busy updating everything else to support this:

https://bugzilla.redhat.com/show_bug.cgi?id=449984


> I just committed file capability support to rpm.org HEAD, filling in the
> final(?) missing piece. Capability support is not going to be in rpm 4.6.0
> but no reason they can't be pulled into 4.6.1 which is easily in F11
> timeframe.

We tried to support this in F-10 by having a test run with ping. We figured
that is a simple well defined app that could be used as a test subject. We
opened bz 455713 to document the change over. Turns out that people compile
their own kernels and do not necessarily turn this on. So, what do we do in
that case?


> Are we ready to start considering moving away from SUID bits to
> capabilities, in Fedora 11 maybe?

We tried and got turned back. How does rpm work on kernels that do not support
file capabilities? I'd like to see us get past the initial objections so that
we can start removing some of the setuid bits.

-Steve

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wednesday 29 October 2008 12:53:16 Colin Walters wrote:
> > Are we ready to start considering moving away from SUID bits to
> > capabilities, in Fedora 11 maybe?
>
> Note that from the desktop direction we've been moving the OS away
> from exec-based domain transitions to message passing (e.g. PolicyKit)
> for a variety of reasons.

>From a security point of view...I don't like this at all.

1) We've spent a lot of time on getting audit right. We can tell what account
was logged in under and find every single application that was started as a
result of that login. Message passing breaks this.

2) There is no accountability for what actions are performed for each user.
The audit system cannot tell who something was done for.

3) There is yet another MAC policy with no auditing of access decisions.

4) Setuid apps get special treatment from ld.so and other things so that
certain actions cannot be performed like ptrace or LD_PRELOAD.

5) Setuid apps can be found quite easily and they are well known and well
reviewed for bugs. If you want admin only use, its easy to take off the
setuid bit.

-Steve

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list