Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Development (http://www.linux-archive.org/fedora-development/)
-   -   RFC: Remove write permissions from executables (http://www.linux-archive.org/fedora-development/313266-rfc-remove-write-permissions-executables.html)

Miloslav Trmač 01-22-2010 10:19 AM

RFC: Remove write permissions from executables
 
Hello,
In Fedora 12 several daemons (e.g. dhclient) were modified to drop
unnecessary capabilities, most importantly the "dac_override"
capability, allowing the daemon to ignore file permission bits. This,
in combination with removing some permissions from important system
directories and files (such as /etc/shadow), has restricted the amount
of damage that can be done by exploiting such daemons.

We can extend the protection to all executables by a simple addition to
redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
After applying this patch, executable files in all rebuilt packages
would not be writeable, most often using mode 0555.

I don't expect any problems from this change (it can affect only daemons
that drop capabilities, and executables owned by other users than root);
in the unusual case where making the executeable not writeable did case
some problems, the packager could override the change by explicitly
specifying the required permissions using %attr in the %files section of
the spec file.

What do you think?

Thank you,
Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Ralf Corsepius 01-22-2010 10:36 AM

RFC: Remove write permissions from executables
 
On 01/22/2010 12:19 PM, Miloslav Trmač wrote:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits. This,
> in combination with removing some permissions from important system
> directories and files (such as /etc/shadow), has restricted the amount
> of damage that can be done by exploiting such daemons.
>
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.
>
> I don't expect any problems from this change (it can affect only daemons
> that drop capabilities, and executables owned by other users than root);
> in the unusual case where making the executeable not writeable did case
> some problems, the packager could override the change by explicitly
> specifying the required permissions using %attr in the %files section of
> the spec file.
>
> What do you think?

Bad idea.

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Miloslav Trmač 01-22-2010 11:23 AM

RFC: Remove write permissions from executables
 
Ralf Corsepius p*še v Pá 22. 01. 2010 v 12:36 +0100:
> On 01/22/2010 12:19 PM, Miloslav Trmač wrote:
> > We can extend the protection to all executables by a simple addition to
> > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> > After applying this patch, executable files in all rebuilt packages
> > would not be writeable, most often using mode 0555.
>
> Bad idea.
Would you mind expanding on that, please?
Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

"Richard W.M. Jones" 01-22-2010 01:01 PM

RFC: Remove write permissions from executables
 
On Fri, Jan 22, 2010 at 12:19:49PM +0100, Miloslav Trmač wrote:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits. This,
> in combination with removing some permissions from important system
> directories and files (such as /etc/shadow), has restricted the amount
> of damage that can be done by exploiting such daemons.
>
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.

Is it possible we could remove unreadable binaries with the same
change? See:

http://www.redhat.com/archives/rhl-devel-list/2009-October/thread.html#00987

Rich.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Chris Adams 01-22-2010 01:06 PM

RFC: Remove write permissions from executables
 
Once upon a time, Miloslav Trma? <mitr@volny.cz> said:
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.

Please don't take away read permission without good reason. I have on
many occasion grepped for strings in binaries (who touches a particular
config file for example).

There is no reason to remove world-read permission on something anybody
can download from their favorite mirror.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Miloslav Trmač 01-22-2010 01:56 PM

RFC: Remove write permissions from executables
 
Chris Adams p*še v Pá 22. 01. 2010 v 08:06 -0600:
> Once upon a time, Miloslav TrmaÄ? <mitr@volny.cz> said:
> > We can extend the protection to all executables by a simple addition to
> > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> > After applying this patch, executable files in all rebuilt packages
> > would not be writeable, most often using mode 0555.
>
> Please don't take away read permission without good reason. I have on
> many occasion grepped for strings in binaries (who touches a particular
> config file for example).
Just to clarify, the proposal is to remove the write permission.
Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Chris Adams 01-22-2010 02:02 PM

RFC: Remove write permissions from executables
 
Once upon a time, Miloslav Trma? <mitr@volny.cz> said:
> Chris Adams p*še v Pá 22. 01. 2010 v 08:06 -0600:
> > Once upon a time, Miloslav Trma?? <mitr@volny.cz> said:
> > > We can extend the protection to all executables by a simple addition to
> > > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> > > After applying this patch, executable files in all rebuilt packages
> > > would not be writeable, most often using mode 0555.
> >
> > Please don't take away read permission without good reason. I have on
> > many occasion grepped for strings in binaries (who touches a particular
> > config file for example).
> Just to clarify, the proposal is to remove the write permission.

I saw "0555" and thought "0111". Sorry - my mistake.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

David Malcolm 01-22-2010 02:25 PM

RFC: Remove write permissions from executables
 
On Fri, 2010-01-22 at 12:19 +0100, Miloslav Trmač wrote:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits. This,
> in combination with removing some permissions from important system
> directories and files (such as /etc/shadow), has restricted the amount
> of damage that can be done by exploiting such daemons.
>
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.
>
> I don't expect any problems from this change (it can affect only daemons
> that drop capabilities, and executables owned by other users than root);
> in the unusual case where making the executeable not writeable did case
> some problems, the packager could override the change by explicitly
> specifying the required permissions using %attr in the %files section of
> the spec file.
>
> What do you think?
>
This sounds to me like:
- a promising idea
- something that affects the entire distribution
- something that could make Fedora slightly more secure, and that bit
more attractive to the more paranoid among us
- something that could break things
- something that warrants some testing
- something that suggests a full rebuild
- something that we'll want to discuss in documentation, and mention
in release notes

i.e. it seems to me like it's worth going through the Feature process
(either as a Feature or an Enhancement), if only to capture the standard
concerns there and create a URL describing the change; see:
https://fedoraproject.org/wiki/Features

Bear in mind that the deadline for requesting F13 features is in 4 days
time (if memory serves)

How many files would be affected by the change? All executables on the
system? Would any of the language runtimes be broken by this change
(e.g. for shebang scripts?)

Hope this is helpful
Dave

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Steve Grubb 01-22-2010 05:15 PM

RFC: Remove write permissions from executables
 
On Friday 22 January 2010 10:25:47 am David Malcolm wrote:
> i.e. it seems to me like it's worth going through the Feature process
> (either as a Feature or an Enhancement), if only to capture the standard
> concerns there and create a URL describing the change; see:
> https://fedoraproject.org/wiki/Features
>
> Bear in mind that the deadline for requesting F13 features is in 4 days
> time (if memory serves)
>
> How many files would be affected by the change?

We would want to change the owner write permission bit for all executables. In
F-12 we took care of the major directories, this is phase 2 of the same
project where we take a bigger step. Phase 1 was proving that the missing
write permission on directories won't mess up system updates. Phase 2 would do
the same to files.

> All executables on the system?

Yep.

> Would any of the language runtimes be broken by this change
> (e.g. for shebang scripts?)

Nope. You can change them all on your system right now if you want.

-Steve
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Richard Zidlicky 01-22-2010 05:30 PM

RFC: Remove write permissions from executables
 
On Fri, Jan 22, 2010 at 01:15:02PM -0500, Steve Grubb wrote:
> On Friday 22 January 2010 10:25:47 am David Malcolm wrote:
> > i.e. it seems to me like it's worth going through the Feature process
> > (either as a Feature or an Enhancement), if only to capture the standard
> > concerns there and create a URL describing the change; see:
> > https://fedoraproject.org/wiki/Features
> >
> > Bear in mind that the deadline for requesting F13 features is in 4 days
> > time (if memory serves)
> >
> > How many files would be affected by the change?
>
> We would want to change the owner write permission bit for all executables. In
> F-12 we took care of the major directories, this is phase 2 of the same
> project where we take a bigger step. Phase 1 was proving that the missing
> write permission on directories won't mess up system updates. Phase 2 would do
> the same to files.

so one of the next steps might also be to allow some filesystems to be read-only?
Can be done manually of course but most of the time I am too lazy to do that.

Richard
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel


All times are GMT. The time now is 07:04 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.