Feature changed by: Sebastian Freundt (hroptatyr) Feature #313210, revision 3 Title: get rid of all setuid binaries openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Ludwig Nussel (lnussel) Requested by: Security Team (secteam) Partner organization: openSUSE.org Description: setuid binaries directly or indirectly cause a never ending stream of security issues due to bugs in various components: - the implementation of the binaries themselves (CVE-2011-2490, CVE-2011-1946, CVE-2011- 1485, CVE-2011-2145, CVE-2011-1675, CVE-2010-4170, CVE-2009-2948) - libraries linked into setuid binaries (CVE-2010-3853, CVE-2010-3316, CVE-2009-0360) - glibc resp the linker (CVE-2011-1658, CVE-2010-3847, CVE-2011-0536, CVE-2010-3192, CVE-2011-1089) - kernel (CVE-2012-0056, CVE-2011-1020, CVE-2010-2240, CVE-2010-0296, CVE-2011-1020, CVE-2009- 2848) Therefore we should strive to get rid of all setuid binaries and replace them with client/server implemenations. + Discussion: + #1: Sebastian Freundt (hroptatyr) (2012-02-09 12:04:47) + How does a client/server implementation of ping(1) look like then? -- openSUSE Feature: https://features.opensuse.org/313210

Feature changed by: Marcus Meissner (msmeissn) Feature #313210, revision 5 Title: get rid of all setuid binaries openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Ludwig Nussel (lnussel) Requested by: Security Team (secteam) Partner organization: openSUSE.org Description: setuid binaries directly or indirectly cause a never ending stream of security issues due to bugs in various components: - the implementation of the binaries themselves (CVE-2011-2490, CVE-2011-1946, CVE-2011- 1485, CVE-2011-2145, CVE-2011-1675, CVE-2010-4170, CVE-2009-2948) - libraries linked into setuid binaries (CVE-2010-3853, CVE-2010-3316, CVE-2009-0360) - glibc resp the linker (CVE-2011-1658, CVE-2010-3847, CVE-2011-0536, CVE-2010-3192, CVE-2011-1089) - kernel (CVE-2012-0056, CVE-2011-1020, CVE-2010-2240, CVE-2010-0296, CVE-2011-1020, CVE-2009- 2848) Therefore we should strive to get rid of all setuid binaries and replace them with client/server implemenations. Discussion: #1: Sebastian Freundt (hroptatyr) (2012-02-09 12:04:47) How does a client/server implementation of ping(1) look like then? #2: Ned Ulbricht (ned_ulbricht) (2012-02-09 12:42:07) su and sudo are kind of pointless unless setuid + #3: Marcus Meissner (msmeissn) (2012-02-09 03:49:03) (reply to #2) + su and sudo can both be replaced by + ssh root@localhost + (optional with -X) + but these are probably way down the TODO list. -- openSUSE Feature: https://features.opensuse.org/313210

Feature changed by: Sebastian Freundt (hroptatyr) Feature #313210, revision 7 Title: get rid of all setuid binaries openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Ludwig Nussel (lnussel) Requested by: Security Team (secteam) Partner organization: openSUSE.org Description: setuid binaries directly or indirectly cause a never ending stream of security issues due to bugs in various components: - the implementation of the binaries themselves (CVE-2011-2490, CVE-2011-1946, CVE-2011- 1485, CVE-2011-2145, CVE-2011-1675, CVE-2010-4170, CVE-2009-2948) - libraries linked into setuid binaries (CVE-2010-3853, CVE-2010-3316, CVE-2009-0360) - glibc resp the linker (CVE-2011-1658, CVE-2010-3847, CVE-2011-0536, CVE-2010-3192, CVE-2011-1089) - kernel (CVE-2012-0056, CVE-2011-1020, CVE-2010-2240, CVE-2010-0296, CVE-2011-1020, CVE-2009- 2848) Therefore we should strive to get rid of all setuid binaries and replace them with client/server implemenations. Discussion: #1: Sebastian Freundt (hroptatyr) (2012-02-09 12:04:47) How does a client/server implementation of ping(1) look like then? #5: Ludwig Nussel (lnussel) (2012-02-09 12:52:17) (reply to #1) The server part, e.g. a dbus service or some other process that listens on a unix domain socket (potentially auto activated via systemd) does the privileged operations. In case of ping the server part could either only open the raw socket and pass the fd back or do all the work and pass back only the actual output to the client. + #6: Sebastian Freundt (hroptatyr) (2012-02-09 13:04:56) (reply to #5) + So it's either re-writing ping in the server or giving me the raw + socket, which is not in any way bound to my euid and hence can be used + to emit anything. + Sounds like a massive step backwards to me. #2: Ned Ulbricht (ned_ulbricht) (2012-02-09 12:42:07) su and sudo are kind of pointless unless setuid #3: Marcus Meissner (msmeissn) (2012-02-09 03:49:03) (reply to #2) su and sudo can both be replaced by ssh root@localhost (optional with -X) but these are probably way down the TODO list. #4: Ludwig Nussel (lnussel) (2012-02-09 12:52:08) (reply to #2) they are not pointless but they need to be implemented differently, something like a local telnet. -- openSUSE Feature: https://features.opensuse.org/313210

Feature changed by: Ruediger Meier (rudi_m) Feature #313210, revision 9 Title: get rid of all setuid binaries openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Ludwig Nussel (lnussel) Requested by: Security Team (secteam) Partner organization: openSUSE.org Description: setuid binaries directly or indirectly cause a never ending stream of security issues due to bugs in various components: - the implementation of the binaries themselves (CVE-2011-2490, CVE-2011-1946, CVE-2011- 1485, CVE-2011-2145, CVE-2011-1675, CVE-2010-4170, CVE-2009-2948) - libraries linked into setuid binaries (CVE-2010-3853, CVE-2010-3316, CVE-2009-0360) - glibc resp the linker (CVE-2011-1658, CVE-2010-3847, CVE-2011-0536, CVE-2010-3192, CVE-2011-1089) - kernel (CVE-2012-0056, CVE-2011-1020, CVE-2010-2240, CVE-2010-0296, CVE-2011-1020, CVE-2009- 2848) Therefore we should strive to get rid of all setuid binaries and replace them with client/server implemenations. Discussion: #1: Sebastian Freundt (hroptatyr) (2012-02-09 12:04:47) How does a client/server implementation of ping(1) look like then? #5: Ludwig Nussel (lnussel) (2012-02-09 12:52:17) (reply to #1) The server part, e.g. a dbus service or some other process that listens on a unix domain socket (potentially auto activated via systemd) does the privileged operations. In case of ping the server part could either only open the raw socket and pass the fd back or do all the work and pass back only the actual output to the client. #6: Sebastian Freundt (hroptatyr) (2012-02-09 13:04:56) (reply to #5) So it's either re-writing ping in the server or giving me the raw socket, which is not in any way bound to my euid and hence can be used to emit anything. Sounds like a massive step backwards to me. #7: Marcus Meissner (msmeissn) (2012-02-09 04:06:23) (reply to #6) or just allow ping only for root. ;) #2: Ned Ulbricht (ned_ulbricht) (2012-02-09 12:42:07) su and sudo are kind of pointless unless setuid #3: Marcus Meissner (msmeissn) (2012-02-09 03:49:03) (reply to #2) su and sudo can both be replaced by ssh root@localhost (optional with -X) but these are probably way down the TODO list. + #8: Ruediger Meier (rudi_m) (2012-02-09 13:09:49) (reply to #3) + How should ssh be able to replace sudo? Sending keys around to all + users you want to allow a single command? And allowing system or + test/guest users and even root ssh login? Is this good or bad for + security? Having sshd running at all is IMO much more a risk than + having su/sudo and local users only. + BTW ssh -X can be terrible slow depending on what you are doing. #4: Ludwig Nussel (lnussel) (2012-02-09 12:52:08) (reply to #2) they are not pointless but they need to be implemented differently, something like a local telnet. -- openSUSE Feature: https://features.opensuse.org/313210