April 2014 - openSUSE Factory - openSUSE Mailing Lists

[opensuse-factory] Re: Security issue: Proposal to revert to '/' on sep. part. from /usr,/home,/tmp,/var, etc
by Linda Walsh 02 Apr '14

02 Apr '14

Claudio Freire wrote: > Excuse the top posting, on a cell here and it's difficult to bottom post. --- Most gui email programs make it easier to put the most recent stuff at the top -- organizing a timeline from most-recent - older as you go down. Professions that need things organized chronologically tend to use this (medical, legal). Only those who think every detail is important, all the time, for everyone, force bottom posting. > I don't think patching the bare minimum is a good idea in this case... > the more restricting the rules are the less likely the issue remains > exploitable in yet unknown ways. --- Get rid of root entirely -- no exploits... Maybe cut the power as well. Let's take no halfway measures, eh? Um... you are changing system wide security policy. It seems like doing the minimum necessary to disable your exploit(s), is the best idea since every little bit that you change will cause more incompatibility for some program(s) somewhere -- not to mention this breaks posix rules, linux DACL rules, normal unix access restrictions, to name a few. > But maybe restrictions can be relaxed a bit to allow for your use case, > if it is common enough. Can you show an application that is broken by > current rules and that cannot be fixed without changes to the rules? ---- Can you show that your changes break no existing applications? You are proposing the changes but there's been no proof that any compatibility testing was done other than "ubuntu did it". Ubuntu, of course, is known to cater to the technically sophisticated users... who would be likely to use a variety of security scheme, right? Noooop. Ubuntu was designed for those coming from windows -- designed to take away decision points and make things simpler -- which I AGREE with -- but not at the expense of flexibility. I know the features can be turned off, BUT, Some vendors are designing new distro features based on the reduced functionality offered by the increased restrictions -- like putting everything on 1 partition. That used to be considered "bad system administration" and a bad practice for security, maintenance and reliability. It still is, but convenience is trumping everything else. > What you mentioned in the op seems a rather niche use you scripted > yourself and unlikely to be common. ---- Now here's where you are way off, as well as trying to create a self-fulfilling trap. ANY time you script something, it means you have a custom solution -- that by definition is a 'niche use'. If it could be done without a script, it would be a general use case implemented as a feature. Well guess what. There is no script involved. It's a general use case: "cp -al". I've been on many projects where one copy of the source was the pristine, read-only source, and people used links to create a low-space usage copy. This allowed them to create files as 'new files' where they made changes -- everything else was a read-only link enforced by it being a different UID. It may not be a common use case for home users, but for anyone who does development, it's among the simplest and easiest way to create a local "copy" that you can make changes to while keeping the overall disk cost low where you are re-using the original code. > For those cases specifically, there's a sysctl to disable hardlink > protection. ---- Actually, having the hardlink protections disabled are the default case. Opensuse turned them on in /usr/etc/sysctl.conf. Why wouldn't less overwhelming patch work? Specifically w/r/t prot.hardlinks: 1) cannot hard link to a setXID file unless you could create it yourself. 2) cannot link to/from a file in a world-writable sticky-directory. 3) Root privileges will not override sticky bit rules in the case of opening w/write. I.e. if a file already exists in temp owned by another user, root cannot open the file for write in 1 step. They must first either move or remove the sticky file. The latter step (3) makes the system safer than your proposed solution -- since as it is now, root can overwrite (accidently) any user created tmp file in /tmp, possibly destroying valuable work. ========================= Conversely -- specific criticisms of the new implementation: users can hardlink only to writable, regular files. The reasoning is to prevent race conditions and users writing into files expected to be used by root; BUT -- the new restrictions disable hardlinking to other file system objects -- in ALL CASES except where their UID=the object's UID. This disables Group control as well as control by access lists. A great deal of work has gone into making access lists viable -- and work went into making group access viable as well -- yet this disables both of those access methods for controlling hardlinking to writable objects (other than regular files). The irony, is that you can't have setXid objects other than *files* -- and the TOU exploits don't apply, EXCEPT to files... (i.e. they don't apply to hardlinking to symlinks, as you can't rewrite the symlink, they don't apply to other objects either -- named pipes? sockets? semaphores? None of those suffer from the TOU exploits -- yet they were all disabled unilaterally -- and don't even work when you have write access to those objects. ???? That doesn't make sense. If the idea was to protect against TOU problems, why disable linkability to other objects (besides files)? > If you can show a more widespread use case that is similarly affected, > that will encourage kernel developers to come up with less restrictive rules ---- The onus should be on those proposing the wide-ranging and incompatible new rules to prove why they are needed to the extent implemented. If no proof is needed, then just eliminate root, or pull the plug -- the former is practical with FLASK/SeLinux. But the problem is the bigger the change, the more things you break -- which is why I argue for the minimal change necessary. If you want a maximal solution, SELinux is already available. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

1 0

[opensuse-factory] libwrap still broken over 2 years later...
by Linda Walsh 01 Apr '14

01 Apr '14

Just rebooted (it had been 60 days since last reboot), and it picked up the new tcpd/libwrap0 files from 13.1 (am pretty sure it's not fixed in factory, given it hasn't been fixed in over 2 years)... This is still a problem: http://lists.opensuse.org/opensuse/2011-10/msg00351.html Thought it was reported as I have a patch file... making sure it is reported here: https://bugzilla.novell.com/show_bug.cgi?id=861989 (had problems w/attachment, so am including it here as well..).

4 4

[opensuse-factory] Security issue: Proposal to revert to '/' on sep. part. from /usr,/home,/tmp,/var, etc
by Linda Walsh 01 Apr '14

01 Apr '14

WTF? Am I crazy? Following is a chain of logical events that have happened and are likely to happen that will cause even more security patches to compensate for the merge of '/' with other partitions (include /usr/share -- which was supposed to be independently sharable, yet the keyboard services needs it to load 'locales'). The conclusion is at the end, if you are one of those who are impaired with the TLDR disease. Well, yeah, and? The new setup is being used as a justification for a need for a new and ill designed security feature: "protected_hardlinks" that disables standard, legacy linking ability. In 13.1, this feature is turned on by default. That causes side effects, like not being able to copy a R/O source-tree with "cp -al", into a 2nd copy of symlinked dirs w/hard-linked file objects. To me, that was a basic source control mechanism -- anything that was the same between the two (or 20 trees) shared the same file and was read-only as someone other than the owner of the original source tree (often root). Local mods in source files could be made in your source tree but they wouldn't propagate to to the source copy. Now, such a setup is impossible in the default suse config unless a user has access to root and/or is willing to risk overwriting the original source. The main justification for protected_hardlinks was to protect users from linking to files that used to be on *separate* file systems (/etc/{shadow,group,passwd}) to use for some further exploit -- claim a lost of files and a need for their homedir to be restored via some util that writes to a hardlinked file w/root privs, for example. But now, along comes the protected_hardlinks feature which doesn't do the same job. It allows linking, only, to _regular files_ that you have write access to. Logically, to get around the inability to link w/o write access, one might think to make sure the copying user is in the same group as the target files and use group write access. That causes 2 problems: 1) it doesn't solve the original requirement of keeping the original source tree read-only to other users (i.e. if the users have write access through the group, they can overwrite the original, but worse, 2) protected_hardlinks was implemented to inconsistently allow hardlinking to objects in in the source tree. While it used to be the case that one could hardlink to any readable non-directory on the same device, protected_hardlinks changes that to allow hard-linking not just to "writeable" files, but only *regular files*. This means for example, that the kernel source tree can no longer be copied by anyone other than the tree owner due to symlink usage in the kernel (that were previously hardlinked to): > find . -type l|xargs ls -dgGl|cut -c30-999 ./arch/arm/boot/dts/include/dt-bindings -> ../../../../../include/dt-bindings ./arch/metag/boot/dts/include/dt-bindings -> ../../../../../include/dt-bindings ./arch/microblaze/boot/dts/system.dts -> ../../platform/generic/system.dts ./arch/mips/boot/dts/include/dt-bindings -> ../../../../../include/dt-bindings ./arch/powerpc/boot/dts/include/dt-bindings -> ../../../../../include/dt-bindings Of less commonality, but also affected were hardlinks to named pipes, sockets, -- any other file system object -- except for dirs which, on linux, have pretty much always been disallowed. Notably, now, we have a broken workaround to re-create security lost by previously having a separate root (broken in that it only partly works for some objects), but it's already being discussed how utility (applications will have to follow) progs will deal with making copies when "cp -al" is used -- i.e. it is likely that linux will fall back to DOS-level functionality where copies are made for any file object that doesn't support linking. This has a further security impact: any ACL's or security labels on a readable file will be stripped unless the copying user has the ability to recreate them (often not true if the source tree was designed to be read-only to the copier). I found that to already by a problem when 'mv'ing files -- a few samba versions mistakenly put NT-acl's in the 'security' or 'system' namespace, when such ACL's are not native acls, but a user-app (samba) level data-blob. That issue was raised with the samba team, and it appears it will be addressed, though no official statement was made about the security hole (a Windows user who has login access to the domain will be able to, by default, strip the file of it's NT-ACL just by moving it to another partition or by copying it (whether they intend this or not -- it's not a good side-effect). ========================= **TLDR: In short, the joining of the partitions has already caused broken security workarounds to go into the kernel (that still need to be fixed), and is in the process of requiring system utils and applications to invent workarounds for the security implications -- that themselves cause their own set of security issues that will need more patches, and likely cause more rounds. I.e. this is a case of a bad decision causing a chain of worsening and growing side effects. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

3 7