http://bugzilla.novell.com/show_bug.cgi?id=540966 User suse@tlinx.org added comment http://bugzilla.novell.com/show_bug.cgi?id=540966#c2 L. A. Walsh <suse@tlinx.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |security_vulnerability, | |Systemic Priority|P5 - None |P3 - Medium CC| |suse@tlinx.org AssignedTo|pbaudis@novell.com |bnc-team-screening@forge.pr | |ovo.novell.com --- Comment #2 from L. A. Walsh <suse@tlinx.org> 2009-10-09 13:05:59 PDT --- I have nscd running as user.group=nscd.nscd on my system. Also note -- I would be filing this against 11.1, as that is what I am running. But it is, apparently still a problem in 11.2. Adding keywords 'security_vulnerability' even though it is somewhat minor -- it's a violation of good practice to run multiple daemons as 'nobody.nobody'. It's also a 'Systemic' problem (occurs with other daemons). Request: Please , during install, create a small script to find next location in 'system' allocation block where uid=gid='free', and create them both with the same number. It makes for later accounting/tracking MUCH simpler. :-) Attaching my /etc/nscd.conf -- but it is nothing special -- the main things to note are 1) I have server-user = nscd 2) I have the log-dir in a subdir. Not noted in the nscd.conf (but noted below), the 'run' file is also in its own subdir under /var/run -- also owned by nscd.nscd, that way nscd can happily create and delete it's run and log files as an unprivileged user. Such a happy little camper! I also, BTW, set 'stat-user' = to a local, unpriviledged user that I usually login with so I could 'stat' nscd without having to "sudo to root" -- this could be a security 'bonus' (not needing root to 'stat' nscd'), or a security 'hole', (an unpriviledged user being able to stat nscd). Can't really see it the downside, so it's more likely a bonus than a 'hole'..:-) the rc and conf scripts require 1) user.group == nscd.nscd be created by install 2) NOTE install script must not use -u optionn to startproc, or nscd will exit with failure (won't be able to switch itself to 'nscd and it's associated groups) 3) default perms on /var/run/nscd/socket, need to be set to /var/run/nscd/ nscd:nscd 755 /var/run/nscd/socket nscd:nscd 666 ***** ****NOTE **** -- this "invalidates" the comment in the 'rc-script' in line 75 and **** eliminates the need for the 'rm following it: ------------- 72 stop) 73 echo -n "Shutting down Name Service Cache Daemon" 74 /sbin/killproc -p $NSCD_PID -TERM $NSCD_BIN 75 # if nscd does not run as root, it cannot remove this files: 76 rm -f /var/run/nscd/socket $NSCD_PID 77 rc_status -v 78 ;; ------------- It's currently set to be owned by root. /etc/permissions{X} changes: (Using bits rwx=421 (in case my memory is faulty, documenting my assumption): for ugo:) 3) /etc/permissions should have: (allow all read/write access - normal) /var/run/nscd set to nscd:nscd 3755 /var/run/nscd/socket to nscd:nscd 666 4) /etc/permissions.secure to /var/run/nscd/ set to nscd:nscd 3751 /var/run/ncsd/socket to nscd:nscd 666 (Requires users be in group nscd to read dir contents but others would still be able to use nscd). 5) /etc/permissions.paranoid to: /var/run/nscd/ set to nscd:nscd 3710 /var/run/ncsd/socket to nscd:nscd 660 (no one can see contents of dir except root & user nscd; ONLY users in group nscd dir can use the nscd caching daemon) - others get whatever other defaults are configured in /etc/nsswitch... NOTE: I haven't tested the 'secure' or 'paranoid' settings -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=540966 User meissner@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=540966#c3 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|security_vulnerability, | |Systemic | AssignedTo|bnc-team-screening@forge.pr |pbaudis@novell.com |ovo.novell.com | Summary|nscd still runs as user |unscd still runs as user |nobody (11.1, 11.2) |nobody (also nscd does) --- Comment #3 from Marcus Meissner <meissner@novell.com> 2009-10-09 15:25:26 MDT --- Please do not hijack our bugs, open new ones!!! Adjusted things back to where they fit. unscd still needs to be fixed. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=540966 User suse@tlinx.org added comment http://bugzilla.novell.com/show_bug.cgi?id=540966#c5 L. A. Walsh <suse@tlinx.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | --- Comment #5 from L. A. Walsh <suse@tlinx.org> 2009-11-10 10:13:29 PST --- This bug isn't about nscd running as root. It's about nscd running as user 'nobody' vs. a differentiated user. nscd has never run as root AFAIK, and if it did, that would be a good reason not to run it, since regular, non-root users can look up their password when logging in without being root. Requiring a long-running daemon to be 'root' provides a whole new attack surface in regards to security. You can't just make a change to run it as root without a thorough security review of nscd. I don't get the feeling that it was designed with security in mind, but I may be wrong. If nscd needs to run as root, that should be a separate bug -- please don't hijack closing this bug with a need to run nscd as root, as that would be new functionality. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=540966 User pbaudis@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=540966#c7 --- Comment #7 from Petr Baudis <pbaudis@novell.com> 2009-11-13 15:55:56 MST --- (Note for absolute clarity: The bug is marked as FIXED while in fact a different change than the proposed one was made - the user unscd is running on was changed from 'nobody', but to 'root' instead of 'nscd'.) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=540966 User pbaudis@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=540966#c9 --- Comment #9 from Petr Baudis <pbaudis@novell.com> 2009-11-14 02:26:17 MST --- Now wait, in 11.1, nscd is still running as root, it was the change from nscd to unscd that caused this. nscd is a daemon that can be provided by two compatible implementations, glibc nscd and unscd; up to 11.1 we used glibc nscd, from 11.2 on we switched to unscd because the implementation is much simpler and more stable. It's like awk could be both gawk or mawk - multiple implementations share the same name. You are repeating things about attack surfaces and such, but you haven't pointed out _why_ does nscd running as root increase any risk, given its vital function in the system anyway. Heck, just make it resolve your username to uid 0 if you get control over it, and log in, and you are root anyway. It does not matter at all what user is nscd running on, if it breaks down the local security of the whole system is violated. Finally, the reason to run it as root is NIS. Normally, everything works as expected, but the special scenario is passwd.adjunct; this is special Sun invention that seems to pre-date shadow and is still in use at some places, a separate database that is to be interpolated with passwd to get passwords for users within nss_nis; normally, the NIS server will serve passwd.adjunct information only when originating port is <1024, which only nss_nis running as root can arrange; if nscd is not root, passwords don't appear in the passwd database and you can't log in anymore. Yes, the whole thing is fairly crappy from the security standpoint, but some users still use it, and MY WHOLE POINT is that this does not cost us anything since THIS DOES NOT INCREASE ANY RISKS, the risks are big enough already anyway - you need to specifically address this point if you want to argue further. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.