[Bug 682244] New: AUDIT-0: [11.5] review gnome-keyring
https://bugzilla.novell.com/show_bug.cgi?id=682244 https://bugzilla.novell.com/show_bug.cgi?id=682244#c0 Summary: AUDIT-0: [11.5] review gnome-keyring Classification: openSUSE Product: openSUSE 11.5 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: GNOME AssignedTo: security-team@suse.de ReportedBy: fcrozat@novell.com QAContact: qa@suse.de Found By: --- Blocker: --- in GNOME3, gnome-keyring is now shipping a setuid executable which needs a review from Security team : gnome-keyring.i586: E: permissions-file-setuid-bit (Badness: 10000) /usr/bin/gnome-keyring-daemon is packaged with setuid/setgid bits (04755) If the package is intended for inclusion in any SUSE product please open a bug report to request review of the program by the security team -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c1
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c2
--- Comment #2 from Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c3
--- Comment #3 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c4
--- Comment #4 from Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c5
--- Comment #5 from Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c6
--- Comment #6 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c7
--- Comment #7 from Vincent Untz
please package the file without fscaps and prepare the package for setuid operation as usual. The chkstat program of the permissions package will at run time automatically determine whether to turn on fscaps or use setuid. So the program should be prepared to deal with both situations.
Just to clarify, is this what you expect: - package %{_bindir}/gnome-keyring-daemon with "%verify(not mode caps)" but no specific %attr nor %caps - use a %post with: %set_permissions %{_bindir}/gnome-keyring-daemon - use a %verifyscript: %verify_permissions -e %{_bindir}/gnome-keyring-daemon As far as I can tell, the app can deal with both fscaps and setuid. However, if it's not setuid and there's no fscap, it will simply refuse to run as it considers it needs ipc_lock to operate securely (since it deals with storing passwords and other sensitive data). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c8
--- Comment #8 from Ludwig Nussel
Just to clarify, is this what you expect:
- package %{_bindir}/gnome-keyring-daemon with "%verify(not mode caps)" but no specific %attr nor %caps
- use a %post with: %set_permissions %{_bindir}/gnome-keyring-daemon
- use a %verifyscript: %verify_permissions -e %{_bindir}/gnome-keyring-daemon
Yes.
As far as I can tell, the app can deal with both fscaps and setuid. However, if it's not setuid and there's no fscap, it will simply refuse to run as it considers it needs ipc_lock to operate securely (since it deals with storing passwords and other sensitive data).
Did you try? The extra capabilities are only needed if it needs to mlock more than RLIMIT_MEMLOCK which is 64k by default. That should be enough to store quite a few passwords ;-) We may consider to increase that system wide limit too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c9
--- Comment #9 from Vincent Untz
Did you try?
vuntz@etaules ~/>gnome-keyring-daemon gnome-keyring-daemon: error getting process capabilities, aborting Interestingly, it also results in the same thing if fscap is used. Apparently, libcap-ng doesn't see any cap (capng_have_capabilities (CAPNG_SELECT_CAPS) returns CAPNG_NONE). I'm not sure if this is an issue with the code, or if we have a bigger issue with fscaps here. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c10
--- Comment #10 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c11
--- Comment #11 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c12
--- Comment #12 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c13
--- Comment #13 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c14
--- Comment #14 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c15
--- Comment #15 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c16
--- Comment #16 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c17
--- Comment #17 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c18
--- Comment #18 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c19
--- Comment #19 from Vincent Untz
FWIW, the gnome-keyring we currently have in Factory just drops nothing if not built with HAVE_LIBCAPNG.
In such case gkd_capability_obtain_capability_and_drop_privileges() is just an empty function, however the "make install" will nevertheless either set fscaps or even setuid root (depending on WITH_CAPS).
This is probably not intended behavior.
Checking this right now, this is not the case anymore: setcap is only called in "make install" if we build with libcap-ng. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c20
--- Comment #20 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=682244
https://bugzilla.novell.com/show_bug.cgi?id=682244#c21
--- Comment #21 from Vincent Untz
Ok, but we'd prefer to not have any caps at all, see comment#14.
We do not package the file with caps, so there's no caps by default. This is why we get this warning on startup: gnome-keyring-daemon: insufficient process capabilities, unsecure memory might get used I still believe it'd be good to have ipc_lock cap for /usr/bin/gnome-keyring-daemon since it's handling all the secrets for each user, and there might be cases where the 64k limit mentioned in comment 14 is too low. What is the downside of adding ipc_lock for this binary? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com