Jeff Schroeder wrote:
> Although unlikely, new classes of attack are occasionally uncovered.
Theoretically, nobody cares. Here's a good way to start a program:
int main() {
drop_unneeded_caps();
setuid(uidof(nobody)); // uidof? wtf?
// Not root anymore, not able to setuid(0) either
...
return 0;
}
If you can break that, you're attacking the compiler or dynamic linker
or some library initialization code. None of such code should rely on
any user input though.
Problems of course, first off some people initialize before dropping
caps (please IMMEDIATELY drop caps). Some library code etc uses
environment variables. You just MIGHT have a break somewhere in such
code or in the compiler or something that happens before _main() and
uses env vars or command line options.
So yes, point well taken; however, I just want to give anyone a boot to
the head if they don't drop caps that fast.
>
> Does anyone else think this is a good idea to investigate removing
> suid root from *some* of these binaries where it doesn't break
Yes. Do so.
The above blob of text might actually make you realize that you need to
remove suid root for *all* of the binaries or any remaining flaw will
affect *all* suid root programs. Think about it for a minute, you'll
get it.
> anything? It seems like a win win to me. The only thing different is
> that this would need to be prominently displayed somewhere in the
> server docs and the fscaps tools would need to be packaged + the MIR.
>
--
Bring back the Firefox plushy!
http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
https://bugzilla.mozilla.org/show_bug.cgi?id=322367
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
11-29-2007, 02:31 PM
Scott James Remnant
Removing SUID on binaries that don't need it
On Wed, 2007-11-28 at 21:28 -0500, John Richard Moser wrote:
> Theoretically, nobody cares. Here's a good way to start a program:
>
> int main() {
Race condition here.
> drop_unneeded_caps();
And here.
> setuid(uidof(nobody)); // uidof? wtf?
> // Not root anymore, not able to setuid(0) either
> ...
> return 0;
> }
Scott
--
Scott James Remnant
scott@ubuntu.com
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
11-29-2007, 06:43 PM
Phillip Susi
Removing SUID on binaries that don't need it
Scott James Remnant wrote:
> On Wed, 2007-11-28 at 21:28 -0500, John Richard Moser wrote:
>
>> Theoretically, nobody cares. Here's a good way to start a program:
>>
>> int main() {
>
> Race condition here.
>
>> drop_unneeded_caps();
>
> And here.
Huh? Where is the other thread and what are they racing for?
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
11-29-2007, 06:51 PM
Scott James Remnant
Removing SUID on binaries that don't need it
On Thu, 2007-11-29 at 14:43 -0500, Phillip Susi wrote:
> Scott James Remnant wrote:
> > On Wed, 2007-11-28 at 21:28 -0500, John Richard Moser wrote:
> >
> >> Theoretically, nobody cares. Here's a good way to start a program:
> >>
> >> int main() {
> >
> > Race condition here.
> >
> >> drop_unneeded_caps();
> >
> > And here.
>
> Huh? Where is the other thread and what are they racing for?
>
The other process owned by the user that ptraced you, and made you skip
the syscalls that dropped your caps.
Scott
--
Scott James Remnant
scott@ubuntu.com
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
11-29-2007, 08:44 PM
Phillip Susi
Removing SUID on binaries that don't need it
Scott James Remnant wrote:
> The other process owned by the user that ptraced you, and made you skip
> the syscalls that dropped your caps.
You can't ptrace suid programs.
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
11-29-2007, 09:21 PM
Scott James Remnant
Removing SUID on binaries that don't need it
On Thu, 2007-11-29 at 16:44 -0500, Phillip Susi wrote:
> Scott James Remnant wrote:
> > The other process owned by the user that ptraced you, and made you skip
> > the syscalls that dropped your caps.
>
> You can't ptrace suid programs.
>
*cough* I never actually read the subject. Bad me.
Scott
--
Scott James Remnant
scott@ubuntu.com
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
11-29-2007, 10:24 PM
John Richard Moser
Removing SUID on binaries that don't need it
Phillip Susi wrote:
> Scott James Remnant wrote:
>> The other process owned by the user that ptraced you, and made you skip
>> the syscalls that dropped your caps.
>
> You can't ptrace suid programs.
>
- You can if you're root
- Nobody cares, you're root already
- If you're using SELinux, it shouldn't let you ptrace across contexts
- If you can, somebody needs to fix your policy
- You have no caps to drop if you're not root (via SUID or other)
I think that covers about everything. There's a lot of "well this
situation lets you get away with it" that ends something like "... but
you own the box already anyway."
>
--
Bring back the Firefox plushy!
http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
https://bugzilla.mozilla.org/show_bug.cgi?id=322367
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
11-29-2007, 11:08 PM
"Jeff Schroeder"
Removing SUID on binaries that don't need it
On Nov 29, 2007 3:24 PM, John Richard Moser <nigelenki@comcast.net> wrote:
> - You can if you're root
>
> - Nobody cares, you're root already
>
> - If you're using SELinux, it shouldn't let you ptrace across contexts
>
> - If you can, somebody needs to fix your policy
>
> - You have no caps to drop if you're not root (via SUID or other)
>
> I think that covers about everything. There's a lot of "well this
> situation lets you get away with it" that ends something like "... but
> you own the box already anyway."
The point of this discussion was whether or not we should investigate
removing suid bits from binaries that don't need them, not how to write
better software.
Stripping suid might prevent that 1 case where buggy code or some new
class of exploit comes out (hello dangling pointers!) allows an attacker to
gain root.
--
Jeff Schroeder
Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
11-30-2007, 02:24 AM
John Richard Moser
Removing SUID on binaries that don't need it
Jeff Schroeder wrote:
> On Nov 29, 2007 3:24 PM, John Richard Moser <nigelenki@comcast.net> wrote:
>
> The point of this discussion was whether or not we should investigate
> removing suid bits from binaries that don't need them, not how to write
> better software.
Yes, we're off-track. That happens too much.
>
> Stripping suid might prevent that 1 case where buggy code or some new
> class of exploit comes out (hello dangling pointers!) allows an attacker to
> gain root.
>
Yes, I think the original argument had that somewhere but it's been
stripped out and rehashed so much.
--
Bring back the Firefox plushy!
http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
https://bugzilla.mozilla.org/show_bug.cgi?id=322367
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Removing SUID on binaries that don't need it
