FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-22-2010, 06:51 PM
Steve Grubb
 
Default RFC: Remove write permissions from executables

On Friday 22 January 2010 01:30:11 pm Richard Zidlicky wrote:
> > We would want to change the owner write permission bit for all
> > executables. In F-12 we took care of the major directories, this is
> > phase 2 of the same project where we take a bigger step. Phase 1 was
> > proving that the missing write permission on directories won't mess up
> > system updates. Phase 2 would do the same to files.
>
> so one of the next steps might also be to allow some filesystems to be
> read-only? Can be done manually of course but most of the time I am too
> lazy to do that.

That makes "yum update" and friends messy.

-Steve
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-23-2010, 01:54 AM
Garrett Holmstrom
 
Default RFC: Remove write permissions from executables

2010/1/22 Miloslav Trmač <mitr@volny.cz>:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits. *This,
> in combination with removing some permissions from important system
> directories and files (such as /etc/shadow), has restricted the amount
> of damage that can be done by exploiting such daemons.
>
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.
>
> I don't expect any problems from this change (it can affect only daemons
> that drop capabilities, and executables owned by other users than root);
> in the unusual case where making the executeable not writeable did case
> some problems, the packager could override the change by explicitly
> specifying the required permissions using %attr in the %files section of
> the spec file.
>
> What do you think?

I presume this isn't going to break prelink?

--
Garrett Holmstrom
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-23-2010, 12:14 PM
Steve Grubb
 
Default RFC: Remove write permissions from executables

On Friday 22 January 2010 09:54:35 pm Garrett Holmstrom wrote:
> > I don't expect any problems from this change (it can affect only daemons
> > that drop capabilities, and executables owned by other users than root);
> > in the unusual case where making the executeable not writeable did case
> > some problems, the packager could override the change by explicitly
> > specifying the required permissions using %attr in the %files section of
> > the spec file.
> >
> > What do you think?
>
> I presume this isn't going to break prelink?

prelink as run from cron has CAP_DAC_OVERRIDE, so it will not be broken.

-Steve
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-23-2010, 01:16 PM
Ville Skytt
 
Default RFC: Remove write permissions from executables

On Friday 22 January 2010, Steve Grubb wrote:
> On Friday 22 January 2010 01:30:11 pm Richard Zidlicky wrote:

> > so one of the next steps might also be to allow some filesystems to be
> > read-only? Can be done manually of course but most of the time I am too
> > lazy to do that.
>
> That makes "yum update" and friends messy.

I suppose it would be possible to write a yum plugin without that much of a
mess that does rw/ro remounting at beginning and end of transactions. Even
better if it would be done internally by rpm though.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-25-2010, 04:45 PM
Mike McLean
 
Default RFC: Remove write permissions from executables

2010/1/22 Miloslav Trmač <mitr@volny.cz>:
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.

I don't quite understand what this gets us. What is the practical
difference between a root:root 0755 binary and a root:root 0555 one?
The owner of a file can grant themselves write permission anyway, so
I'm not sure how this stops an attacker.

Furthermore, when the user is root, the 0555 mode will not prevent
writing as it would for normal users.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-25-2010, 04:45 PM
Mike McLean
 
Default RFC: Remove write permissions from executables

2010/1/22 Miloslav Trmač <mitr@volny.cz>:
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.

I don't quite understand what this gets us. What is the practical
difference between a root:root 0755 binary and a root:root 0555 one?
The owner of a file can grant themselves write permission anyway, so
I'm not sure how this stops an attacker.

Furthermore, when the user is root, the 0555 mode will not prevent
writing as it would for normal users.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-25-2010, 04:54 PM
Till Maas
 
Default RFC: Remove write permissions from executables

On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:

> Furthermore, when the user is root, the 0555 mode will not prevent
> writing as it would for normal users.

It does not matter, whether the user is root, but whether he has the
dac_override capability. If you read the original mail (1st paragraph)
again with this in mind, you will understand the reason for the change.

Regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-25-2010, 04:58 PM
Till Maas
 
Default RFC: Remove write permissions from executables

On Fri, Jan 22, 2010 at 12:19:49PM +0100, Miloslav Trmač wrote:

> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.

> What do you think?

Is there a tracker about what else needs to be done to finish this up?
E.g. non-executable interpreted libraries will then still be writable:
/usr/lib/python2.6/site-packages/yum

Regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-25-2010, 05:12 PM
Mike McLean
 
Default RFC: Remove write permissions from executables

On Mon, Jan 25, 2010 at 12:54 PM, Till Maas <opensource@till.name> wrote:
> It does not matter, whether the user is root, but whether he has the
> dac_override capability. If you read the original mail (1st paragraph)
> again with this in mind, you will understand the reason for the change.

Thanks. Sorry for the noise.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-25-2010, 07:03 PM
Miloslav Trmač
 
Default RFC: Remove write permissions from executables

Till Maas p*še v Po 25. 01. 2010 v 18:58 +0100:
> Is there a tracker about what else needs to be done to finish this up?
Good idea, I have filed
https://bugzilla.redhat.com/show_bug.cgi?id=558612 .

(Realistically, this probably won't ever be "finished" because after
handling the low-hanging fruit we'll need to start considering e.g.
files in /etc case by case, in some cases making having to decide
between removing dac_override from some system processes and making the
configuration files they legitimately modify non-writeable by root.)

Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 04:04 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org