FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-22-2010, 10:19 AM
Miloslav Trmač
 
Default RFC: Remove write permissions from executables

Hello,
In Fedora 12 several daemons (e.g. dhclient) were modified to drop
unnecessary capabilities, most importantly the "dac_override"
capability, allowing the daemon to ignore file permission bits. This,
in combination with removing some permissions from important system
directories and files (such as /etc/shadow), has restricted the amount
of damage that can be done by exploiting such daemons.

We can extend the protection to all executables by a simple addition to
redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
After applying this patch, executable files in all rebuilt packages
would not be writeable, most often using mode 0555.

I don't expect any problems from this change (it can affect only daemons
that drop capabilities, and executables owned by other users than root);
in the unusual case where making the executeable not writeable did case
some problems, the packager could override the change by explicitly
specifying the required permissions using %attr in the %files section of
the spec file.

What do you think?

Thank you,
Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-22-2010, 10:36 AM
Ralf Corsepius
 
Default RFC: Remove write permissions from executables

On 01/22/2010 12:19 PM, Miloslav Trmač wrote:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits. This,
> in combination with removing some permissions from important system
> directories and files (such as /etc/shadow), has restricted the amount
> of damage that can be done by exploiting such daemons.
>
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.
>
> I don't expect any problems from this change (it can affect only daemons
> that drop capabilities, and executables owned by other users than root);
> in the unusual case where making the executeable not writeable did case
> some problems, the packager could override the change by explicitly
> specifying the required permissions using %attr in the %files section of
> the spec file.
>
> What do you think?

Bad idea.

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-22-2010, 11:23 AM
Miloslav Trmač
 
Default RFC: Remove write permissions from executables

Ralf Corsepius p*še v Pá 22. 01. 2010 v 12:36 +0100:
> On 01/22/2010 12:19 PM, Miloslav Trmač wrote:
> > We can extend the protection to all executables by a simple addition to
> > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> > After applying this patch, executable files in all rebuilt packages
> > would not be writeable, most often using mode 0555.
>
> Bad idea.
Would you mind expanding on that, please?
Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-22-2010, 01:01 PM
"Richard W.M. Jones"
 
Default RFC: Remove write permissions from executables

On Fri, Jan 22, 2010 at 12:19:49PM +0100, Miloslav Trmač wrote:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits. This,
> in combination with removing some permissions from important system
> directories and files (such as /etc/shadow), has restricted the amount
> of damage that can be done by exploiting such daemons.
>
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.

Is it possible we could remove unreadable binaries with the same
change? See:

http://www.redhat.com/archives/rhl-devel-list/2009-October/thread.html#00987

Rich.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-22-2010, 01:06 PM
Chris Adams
 
Default RFC: Remove write permissions from executables

Once upon a time, Miloslav Trma? <mitr@volny.cz> said:
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.

Please don't take away read permission without good reason. I have on
many occasion grepped for strings in binaries (who touches a particular
config file for example).

There is no reason to remove world-read permission on something anybody
can download from their favorite mirror.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-22-2010, 01:56 PM
Miloslav Trmač
 
Default RFC: Remove write permissions from executables

Chris Adams p*še v Pá 22. 01. 2010 v 08:06 -0600:
> Once upon a time, Miloslav TrmaÄ? <mitr@volny.cz> said:
> > We can extend the protection to all executables by a simple addition to
> > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> > After applying this patch, executable files in all rebuilt packages
> > would not be writeable, most often using mode 0555.
>
> Please don't take away read permission without good reason. I have on
> many occasion grepped for strings in binaries (who touches a particular
> config file for example).
Just to clarify, the proposal is to remove the write permission.
Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-22-2010, 02:02 PM
Chris Adams
 
Default RFC: Remove write permissions from executables

Once upon a time, Miloslav Trma? <mitr@volny.cz> said:
> Chris Adams p*še v Pá 22. 01. 2010 v 08:06 -0600:
> > Once upon a time, Miloslav Trma?? <mitr@volny.cz> said:
> > > We can extend the protection to all executables by a simple addition to
> > > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> > > After applying this patch, executable files in all rebuilt packages
> > > would not be writeable, most often using mode 0555.
> >
> > Please don't take away read permission without good reason. I have on
> > many occasion grepped for strings in binaries (who touches a particular
> > config file for example).
> Just to clarify, the proposal is to remove the write permission.

I saw "0555" and thought "0111". Sorry - my mistake.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-22-2010, 02:25 PM
David Malcolm
 
Default RFC: Remove write permissions from executables

On Fri, 2010-01-22 at 12:19 +0100, Miloslav Trmač wrote:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits. This,
> in combination with removing some permissions from important system
> directories and files (such as /etc/shadow), has restricted the amount
> of damage that can be done by exploiting such daemons.
>
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.
>
> I don't expect any problems from this change (it can affect only daemons
> that drop capabilities, and executables owned by other users than root);
> in the unusual case where making the executeable not writeable did case
> some problems, the packager could override the change by explicitly
> specifying the required permissions using %attr in the %files section of
> the spec file.
>
> What do you think?
>
This sounds to me like:
- a promising idea
- something that affects the entire distribution
- something that could make Fedora slightly more secure, and that bit
more attractive to the more paranoid among us
- something that could break things
- something that warrants some testing
- something that suggests a full rebuild
- something that we'll want to discuss in documentation, and mention
in release notes

i.e. it seems to me like it's worth going through the Feature process
(either as a Feature or an Enhancement), if only to capture the standard
concerns there and create a URL describing the change; see:
https://fedoraproject.org/wiki/Features

Bear in mind that the deadline for requesting F13 features is in 4 days
time (if memory serves)

How many files would be affected by the change? All executables on the
system? Would any of the language runtimes be broken by this change
(e.g. for shebang scripts?)

Hope this is helpful
Dave

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-22-2010, 05:15 PM
Steve Grubb
 
Default RFC: Remove write permissions from executables

On Friday 22 January 2010 10:25:47 am David Malcolm wrote:
> i.e. it seems to me like it's worth going through the Feature process
> (either as a Feature or an Enhancement), if only to capture the standard
> concerns there and create a URL describing the change; see:
> https://fedoraproject.org/wiki/Features
>
> Bear in mind that the deadline for requesting F13 features is in 4 days
> time (if memory serves)
>
> How many files would be affected by the change?

We would want to change the owner write permission bit for all executables. In
F-12 we took care of the major directories, this is phase 2 of the same
project where we take a bigger step. Phase 1 was proving that the missing
write permission on directories won't mess up system updates. Phase 2 would do
the same to files.

> All executables on the system?

Yep.

> Would any of the language runtimes be broken by this change
> (e.g. for shebang scripts?)

Nope. You can change them all on your system right now if you want.

-Steve
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-22-2010, 05:30 PM
Richard Zidlicky
 
Default RFC: Remove write permissions from executables

On Fri, Jan 22, 2010 at 01:15:02PM -0500, Steve Grubb wrote:
> On Friday 22 January 2010 10:25:47 am David Malcolm wrote:
> > i.e. it seems to me like it's worth going through the Feature process
> > (either as a Feature or an Enhancement), if only to capture the standard
> > concerns there and create a URL describing the change; see:
> > https://fedoraproject.org/wiki/Features
> >
> > Bear in mind that the deadline for requesting F13 features is in 4 days
> > time (if memory serves)
> >
> > How many files would be affected by the change?
>
> We would want to change the owner write permission bit for all executables. In
> F-12 we took care of the major directories, this is phase 2 of the same
> project where we take a bigger step. Phase 1 was proving that the missing
> write permission on directories won't mess up system updates. Phase 2 would do
> the same to files.

so one of the next steps might also be to allow some filesystems to be read-only?
Can be done manually of course but most of the time I am too lazy to do that.

Richard
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 06:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org