FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Development

 
 
LinkBack Thread Tools
 
Old 11-29-2007, 01:28 AM
John Richard Moser
 
Default Removing SUID on binaries that don't need it

Jeff Schroeder wrote:
> Although unlikely, new classes of attack are occasionally uncovered.

Theoretically, nobody cares. Here's a good way to start a program:

int main() {
drop_unneeded_caps();
setuid(uidof(nobody)); // uidof? wtf?
// Not root anymore, not able to setuid(0) either
...
return 0;
}

If you can break that, you're attacking the compiler or dynamic linker
or some library initialization code. None of such code should rely on
any user input though.

Problems of course, first off some people initialize before dropping
caps (please IMMEDIATELY drop caps). Some library code etc uses
environment variables. You just MIGHT have a break somewhere in such
code or in the compiler or something that happens before _main() and
uses env vars or command line options.

So yes, point well taken; however, I just want to give anyone a boot to
the head if they don't drop caps that fast.

>
> Does anyone else think this is a good idea to investigate removing
> suid root from *some* of these binaries where it doesn't break

Yes. Do so.

The above blob of text might actually make you realize that you need to
remove suid root for *all* of the binaries or any remaining flaw will
affect *all* suid root programs. Think about it for a minute, you'll
get it.

> anything? It seems like a win win to me. The only thing different is
> that this would need to be prominently displayed somewhere in the
> server docs and the fscaps tools would need to be packaged + the MIR.
>

--
Bring back the Firefox plushy!
http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
https://bugzilla.mozilla.org/show_bug.cgi?id=322367

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 11-29-2007, 02:31 PM
Scott James Remnant
 
Default Removing SUID on binaries that don't need it

On Wed, 2007-11-28 at 21:28 -0500, John Richard Moser wrote:

> Theoretically, nobody cares. Here's a good way to start a program:
>
> int main() {

Race condition here.

> drop_unneeded_caps();

And here.

> setuid(uidof(nobody)); // uidof? wtf?
> // Not root anymore, not able to setuid(0) either
> ...
> return 0;
> }

Scott
--
Scott James Remnant
scott@ubuntu.com
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 11-29-2007, 06:43 PM
Phillip Susi
 
Default Removing SUID on binaries that don't need it

Scott James Remnant wrote:
> On Wed, 2007-11-28 at 21:28 -0500, John Richard Moser wrote:
>
>> Theoretically, nobody cares. Here's a good way to start a program:
>>
>> int main() {
>
> Race condition here.
>
>> drop_unneeded_caps();
>
> And here.

Huh? Where is the other thread and what are they racing for?


--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 11-29-2007, 06:51 PM
Scott James Remnant
 
Default Removing SUID on binaries that don't need it

On Thu, 2007-11-29 at 14:43 -0500, Phillip Susi wrote:

> Scott James Remnant wrote:
> > On Wed, 2007-11-28 at 21:28 -0500, John Richard Moser wrote:
> >
> >> Theoretically, nobody cares. Here's a good way to start a program:
> >>
> >> int main() {
> >
> > Race condition here.
> >
> >> drop_unneeded_caps();
> >
> > And here.
>
> Huh? Where is the other thread and what are they racing for?
>
The other process owned by the user that ptraced you, and made you skip
the syscalls that dropped your caps.

Scott
--
Scott James Remnant
scott@ubuntu.com
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 11-29-2007, 08:44 PM
Phillip Susi
 
Default Removing SUID on binaries that don't need it

Scott James Remnant wrote:
> The other process owned by the user that ptraced you, and made you skip
> the syscalls that dropped your caps.

You can't ptrace suid programs.


--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 11-29-2007, 09:21 PM
Scott James Remnant
 
Default Removing SUID on binaries that don't need it

On Thu, 2007-11-29 at 16:44 -0500, Phillip Susi wrote:

> Scott James Remnant wrote:
> > The other process owned by the user that ptraced you, and made you skip
> > the syscalls that dropped your caps.
>
> You can't ptrace suid programs.
>
*cough* I never actually read the subject. Bad me.

Scott
--
Scott James Remnant
scott@ubuntu.com
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 11-29-2007, 10:24 PM
John Richard Moser
 
Default Removing SUID on binaries that don't need it

Phillip Susi wrote:
> Scott James Remnant wrote:
>> The other process owned by the user that ptraced you, and made you skip
>> the syscalls that dropped your caps.
>
> You can't ptrace suid programs.
>

- You can if you're root

- Nobody cares, you're root already

- If you're using SELinux, it shouldn't let you ptrace across contexts

- If you can, somebody needs to fix your policy

- You have no caps to drop if you're not root (via SUID or other)

I think that covers about everything. There's a lot of "well this
situation lets you get away with it" that ends something like "... but
you own the box already anyway."

>

--
Bring back the Firefox plushy!
http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
https://bugzilla.mozilla.org/show_bug.cgi?id=322367

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 11-29-2007, 11:08 PM
"Jeff Schroeder"
 
Default Removing SUID on binaries that don't need it

On Nov 29, 2007 3:24 PM, John Richard Moser <nigelenki@comcast.net> wrote:
> - You can if you're root
>
> - Nobody cares, you're root already
>
> - If you're using SELinux, it shouldn't let you ptrace across contexts
>
> - If you can, somebody needs to fix your policy
>
> - You have no caps to drop if you're not root (via SUID or other)
>
> I think that covers about everything. There's a lot of "well this
> situation lets you get away with it" that ends something like "... but
> you own the box already anyway."

The point of this discussion was whether or not we should investigate
removing suid bits from binaries that don't need them, not how to write
better software.

Stripping suid might prevent that 1 case where buggy code or some new
class of exploit comes out (hello dangling pointers!) allows an attacker to
gain root.

--
Jeff Schroeder

Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 11-30-2007, 02:24 AM
John Richard Moser
 
Default Removing SUID on binaries that don't need it

Jeff Schroeder wrote:
> On Nov 29, 2007 3:24 PM, John Richard Moser <nigelenki@comcast.net> wrote:
>
> The point of this discussion was whether or not we should investigate
> removing suid bits from binaries that don't need them, not how to write
> better software.

Yes, we're off-track. That happens too much.

>
> Stripping suid might prevent that 1 case where buggy code or some new
> class of exploit comes out (hello dangling pointers!) allows an attacker to
> gain root.
>

Yes, I think the original argument had that somewhere but it's been
stripped out and rehashed so much.

--
Bring back the Firefox plushy!
http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
https://bugzilla.mozilla.org/show_bug.cgi?id=322367

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 

Thread Tools




All times are GMT. The time now is 06:45 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org