FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-25-2010, 07:48 PM
Garrett Holmstrom
 
Default RFC: Remove write permissions from executables

On Mon, Jan 25, 2010 at 11:54 AM, Till Maas <opensource@till.name> wrote:
> On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
>
>> Furthermore, when the user is root, the 0555 mode will not prevent
>> writing as it would for normal users.
>
> It does not matter, whether the user is root, but whether he has the
> dac_override capability. If you read the original mail (1st paragraph)
> again with this in mind, you will understand the reason for the change.

Does a lack of the dac_override capability prevent root from chmod'ing
its own files?

--
Garrett Holmstrom
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-26-2010, 09:16 AM
Stefan Schulze Frielinghaus
 
Default RFC: Remove write permissions from executables

On Mon, 2010-01-25 at 14:48 -0600, Garrett Holmstrom wrote:
> On Mon, Jan 25, 2010 at 11:54 AM, Till Maas <opensource@till.name> wrote:
> > On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
> >
> >> Furthermore, when the user is root, the 0555 mode will not prevent
> >> writing as it would for normal users.
> >
> > It does not matter, whether the user is root, but whether he has the
> > dac_override capability. If you read the original mail (1st paragraph)
> > again with this in mind, you will understand the reason for the change.
>
> Does a lack of the dac_override capability prevent root from chmod'ing
> its own files?

I had the same question too ;-) and did a quick test. The result was, if
you drop all capabilities, you are still allowed to chmod your files.

So the benefit of removing write permissions is questionable to me.
Maybe someone else can bring in some light?

PS: Testing was done via the attached application.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-26-2010, 02:01 PM
Miloslav Trmač
 
Default RFC: Remove write permissions from executables

Stefan Schulze Frielinghaus p*še v Út 26. 01. 2010 v 11:16 +0100:
> On Mon, 2010-01-25 at 14:48 -0600, Garrett Holmstrom wrote:
> > On Mon, Jan 25, 2010 at 11:54 AM, Till Maas <opensource@till.name> wrote:
> > > On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
> > >
> > >> Furthermore, when the user is root, the 0555 mode will not prevent
> > >> writing as it would for normal users.
> > >
> > > It does not matter, whether the user is root, but whether he has the
> > > dac_override capability. If you read the original mail (1st paragraph)
> > > again with this in mind, you will understand the reason for the change.
> >
> > Does a lack of the dac_override capability prevent root from chmod'ing
> > its own files?
>
> I had the same question too ;-) and did a quick test. The result was, if
> you drop all capabilities, you are still allowed to chmod your files.
>
> So the benefit of removing write permissions is questionable to me.
> Maybe someone else can bring in some light?
Right, it only protects against arbitrary file overwrite (e.g. someone
passing "../../../usr/bin" as a file name). It doesn't protect against
arbitrary code execution.

I have withdrawn the proposal for F13. We could fully protect the
binaries by making them owned by some other user than root, but that
change would be much more invasive and risky, and I won't be able to do
enough testing to propose such a change at this time.

Thanks for all comments,
Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-26-2010, 03:38 PM
"Serge E. Hallyn"
 
Default RFC: Remove write permissions from executables

Quoting Miloslav Trmač (mitr@volny.cz):
> Stefan Schulze Frielinghaus p*še v Út 26. 01. 2010 v 11:16 +0100:
> > On Mon, 2010-01-25 at 14:48 -0600, Garrett Holmstrom wrote:
> > > On Mon, Jan 25, 2010 at 11:54 AM, Till Maas <opensource@till.name> wrote:
> > > > On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
> > > >
> > > >> Furthermore, when the user is root, the 0555 mode will not prevent
> > > >> writing as it would for normal users.
> > > >
> > > > It does not matter, whether the user is root, but whether he has the
> > > > dac_override capability. If you read the original mail (1st paragraph)
> > > > again with this in mind, you will understand the reason for the change.
> > >
> > > Does a lack of the dac_override capability prevent root from chmod'ing
> > > its own files?
> >
> > I had the same question too ;-) and did a quick test. The result was, if
> > you drop all capabilities, you are still allowed to chmod your files.
> >
> > So the benefit of removing write permissions is questionable to me.
> > Maybe someone else can bring in some light?
> Right, it only protects against arbitrary file overwrite (e.g. someone
> passing "../../../usr/bin" as a file name). It doesn't protect against
> arbitrary code execution.
>
> I have withdrawn the proposal for F13. We could fully protect the
> binaries by making them owned by some other user than root, but that

Note that the inverse - the files being owned by root and a daemon
running as non-root with a few capabilities - is also useful.

> change would be much more invasive and risky, and I won't be able to do
> enough testing to propose such a change at this time.
>
> Thanks for all comments,
> Mirek
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-26-2010, 11:04 PM
Richard Zidlicky
 
Default RFC: Remove write permissions from executables

On Tue, Jan 26, 2010 at 04:01:58PM +0100, Miloslav Trmač wrote:
> Stefan Schulze Frielinghaus p*še v Út 26. 01. 2010 v 11:16 +0100:
> > On Mon, 2010-01-25 at 14:48 -0600, Garrett Holmstrom wrote:
> > > On Mon, Jan 25, 2010 at 11:54 AM, Till Maas <opensource@till.name> wrote:
> > > > On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
> > > >
> > > >> Furthermore, when the user is root, the 0555 mode will not prevent
> > > >> writing as it would for normal users.
> > > >
> > > > It does not matter, whether the user is root, but whether he has the
> > > > dac_override capability. If you read the original mail (1st paragraph)
> > > > again with this in mind, you will understand the reason for the change.
> > >
> > > Does a lack of the dac_override capability prevent root from chmod'ing
> > > its own files?
> >
> > I had the same question too ;-) and did a quick test. The result was, if
> > you drop all capabilities, you are still allowed to chmod your files.
> >
> > So the benefit of removing write permissions is questionable to me.
> > Maybe someone else can bring in some light?
> Right, it only protects against arbitrary file overwrite (e.g. someone
> passing "../../../usr/bin" as a file name). It doesn't protect against
> arbitrary code execution.
>
> I have withdrawn the proposal for F13. We could fully protect the
> binaries by making them owned by some other user than root, but that
> change would be much more invasive and risky, and I won't be able to do
> enough testing to propose such a change at this time.

that kind of change would also look very strange to most people.

Mounting the fs read only is much easier and safer - and has long tradition.

Richard
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-27-2010, 02:10 PM
Benny Amorsen
 
Default RFC: Remove write permissions from executables

Richard Zidlicky <rz@linux-m68k.org> writes:

> Mounting the fs read only is much easier and safer - and has long tradition.

This is not feasible as a distribution policy. You can't guarantee that
/usr/bin is on its own partition so you can mount it read only. The only
way to achieve it would be creative use of mount --bind, something which
certainly goes against tradition.

Also, the advantage of the proposed change was that it would not affect
e.g. yum upgrade. Creative use of mount --bind could perhaps achieve the
same result, but not in a way which I consider sane.

All in all I think it's a shame that the original proposal didn't work
out at this time. Having binaries owned by bin:bin does have Unix (but
not Linux AFAIK) tradition behind it.


/Benny

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-27-2010, 04:11 PM
"Serge E. Hallyn"
 
Default RFC: Remove write permissions from executables

Quoting Benny Amorsen (benny+usenet@amorsen.dk):
> Richard Zidlicky <rz@linux-m68k.org> writes:
>
> > Mounting the fs read only is much easier and safer - and has long tradition.
>
> This is not feasible as a distribution policy. You can't guarantee that
> /usr/bin is on its own partition so you can mount it read only. The only
> way to achieve it would be creative use of mount --bind, something which
> certainly goes against tradition.
>
> Also, the advantage of the proposed change was that it would not affect
> e.g. yum upgrade. Creative use of mount --bind could perhaps achieve the
> same result, but not in a way which I consider sane.
>
> All in all I think it's a shame that the original proposal didn't work
> out at this time. Having binaries owned by bin:bin does have Unix (but
> not Linux AFAIK) tradition behind it.

And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write.

-serge
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-27-2010, 05:22 PM
Richard Zidlicky
 
Default RFC: Remove write permissions from executables

On Wed, Jan 27, 2010 at 04:10:39PM +0100, Benny Amorsen wrote:
>
> > Mounting the fs read only is much easier and safer - and has long tradition.
>
> This is not feasible as a distribution policy. You can't guarantee that
> /usr/bin is on its own partition so you can mount it read only.

of course it is not guaranteed. But it is not difficult to detect and I think
plenty of sysadmins are doing it that way. Used to have many more advantages
than just a marginal gain in security.

Fedora certainly can not mandate this as a policy it would be nice if it would
work with this common setup.

> Also, the advantage of the proposed change was that it would not affect
> e.g. yum upgrade. Creative use of mount --bind could perhaps achieve the
> same result, but not in a way which I consider sane.

that would be indeed insane. But as has been mentioned rpm could have a hook
to do some actions before and after modifying anything.

> All in all I think it's a shame that the original proposal didn't work
> out at this time. Having binaries owned by bin:bin does have Unix (but
> not Linux AFAIK) tradition behind it.

now that you mention bin:bin, I remember the old days.

Richard
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-28-2010, 09:28 AM
Richard Zidlicky
 
Default RFC: Remove write permissions from executables

On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote:

> > All in all I think it's a shame that the original proposal didn't work
> > out at this time. Having binaries owned by bin:bin does have Unix (but
> > not Linux AFAIK) tradition behind it.
>
> And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write.

read only fs is not necessarilly a normal fs thats mounted ro. rpm could have
a hook to do whatever is necessary, it is just one program that needs modified.
Relying on do CAP_DAC_OVERRIDE has imho more potential for breakage and provides
less protection.

Richard
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-28-2010, 02:43 PM
"Serge E. Hallyn"
 
Default RFC: Remove write permissions from executables

Quoting Richard Zidlicky (rz@linux-m68k.org):
> On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote:
>
> > > All in all I think it's a shame that the original proposal didn't work
> > > out at this time. Having binaries owned by bin:bin does have Unix (but
> > > not Linux AFAIK) tradition behind it.
> >
> > And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write.
>
> read only fs is not necessarilly a normal fs thats mounted ro. rpm could have
> a hook to do whatever is necessary, it is just one program that needs modified.
> Relying on do CAP_DAC_OVERRIDE has imho more potential for breakage and provides
> less protection.

Oh, right, this is for /bin and /sbin only isn't it - so ro fs could
be good. I was thinking about /etc, which I guess isn't being considered
yet.

-serge
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 08:13 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org