[opensuse-kernel] debugfs mounted by default - necessary?
Hi, is it necessary that "debugfs" is mounted by default? It exposes too much of the kernel readable (and so potentially exploitable) to the non-root user. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Mon, Dec 05, 2011 at 05:11:58PM +0100, Marcus Meissner wrote:
Hi,
is it necessary that "debugfs" is mounted by default?
perf needs/wants it, as does other things that we need for suportability (usb device list, etc.)
It exposes too much of the kernel readable (and so potentially exploitable) to the non-root user.
What is exploitable in debugfs, and "too readable"? thanks, greg k-h -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Mon, Dec 05, 2011 at 08:22:01AM -0800, Greg KH wrote:
On Mon, Dec 05, 2011 at 05:11:58PM +0100, Marcus Meissner wrote:
Hi,
is it necessary that "debugfs" is mounted by default?
perf needs/wants it, as does other things that we need for suportability (usb device list, etc.)
It exposes too much of the kernel readable (and so potentially exploitable) to the non-root user.
What is exploitable in debugfs, and "too readable"?
I do not know if anything is exploitable. This is also more a look into the future. Too readable as in "exposing too much information normal users do not need". Seeing that even interrupt numbers / timings are used to guess passwords nearly any information can be a side channel of sensitive information. So: Does "perf" need to run as user, or can it just be run as "root"? Could we restrict the mount permissions of debugfs to only be root readable? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Mon, Dec 05, 2011 at 05:26:02PM +0100, Marcus Meissner wrote:
On Mon, Dec 05, 2011 at 08:22:01AM -0800, Greg KH wrote:
On Mon, Dec 05, 2011 at 05:11:58PM +0100, Marcus Meissner wrote:
Hi,
is it necessary that "debugfs" is mounted by default?
perf needs/wants it, as does other things that we need for suportability (usb device list, etc.)
It exposes too much of the kernel readable (and so potentially exploitable) to the non-root user.
What is exploitable in debugfs, and "too readable"?
I do not know if anything is exploitable. This is also more a look into the future.
Too readable as in "exposing too much information normal users do not need".
Again, what is exploitable today, it will be fixed.
Seeing that even interrupt numbers / timings are used to guess passwords nearly any information can be a side channel of sensitive information.
I understand your feeling that we are exposing "too much", but without a specific example of what is wrong here, I'm not going to want to see anything changed.
So: Does "perf" need to run as user, or can it just be run as "root"?
It can run as user, and it provides very good statistics as a user, you should try it sometime :)
Could we restrict the mount permissions of debugfs to only be root readable?
No, a patch to do so was rejected upstream for the reasons I cite above. thanks, greg k-h -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/05/2011 11:11 AM, Marcus Meissner wrote:
Hi,
is it necessary that "debugfs" is mounted by default?
It exposes too much of the kernel readable (and so potentially exploitable) to the non-root user.
It makes the tracing infrastructure unusable without more work from the user. The tracing infrastructure has grown from a niche offering to being the core of other features like block trace, which I'd consider part of basic performance analysis. One potential workaround could be to make /sys/kernel/debug 0700 root and allow the admin to change it to allow access to non-root users. Forcing admins to mount it, even when they'd just be using it as root anyway, just delays the exposure. I don't necessarily agree that allowing RO access is a security hole, but it would address your concern. - -Jeff - -- Jeff Mahoney SUSE Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJO3PZ8AAoJEB57S2MheeWyzuEP/3ul+viBY95LMOaf4FNfRgu7 +Q+NHjWZhdiFIM4CBU1+jkU71XU8pQoDhBIRGr2/xiZQK+Un2xkITPjxhhAAIaUJ P3A8OvC2sWMXVCm0yfOiP4WOH8o+D7rALFB5y5O2zmvKqQZkOprLWd9d/dcH7CLb HFHbglmOIXNvaw1OZxckqkHTT79zpUWf8kuYTM7qB/i7mFwQHFVO+wIJmgHvReO8 9ctR3K0TlSpEyz4/Nio6OST3JlOyb0yBWUysXhQJbohhfiXxjr54qc2kkuwmxbo5 xsztGzzzsj0jRv6SWNDrshn4SDlpqzZYsHQfIZLpJyOPb7fFd/eKxyVijnYN6m1s xo8qsgSKpQzTwTAsmJx7XCElWg9QvJRbPLqf7xXk6P+DRMWOLnBezNB3SB14qEmm TikmOGhuXdRC7qE66XhE3fTpnH4Z4QWN/kReYrz1flyOaEGmZwd8ziPEcLMgiAIm jtTfhsmUXsQRTithdanMEsI2GRrmyg59WabcOua1mmXazcI5GRd1Kxq+ccLgdjpB YKMrVWVclbVqr86gOhRYbGRKr4fGlx5+vGyuhOG4SvL+wS0CwU3iSsU/I0VcvijK yeRmN3KMD40pkey8nj0wWG3lFZkVWEfHS8wuBPRGlndlT1pX2UFvqNdUCsornYQs ix8VZu6qb4TOgz6tQEKV =oJvE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
Hi, I think it is a very deep conceptual issue and a very deep difference in thinking about availability of features... "As close and restricted as possible" vs "allow as much as possible". Lets see two cases: If you are building a nuclear power plant, you want everything specified and doing exactly the thing you want it to do, but nothing more. You want everything documented, proven to be only there if needed, and doing just the things it needs to do. If you are building an experimental herb and flower garden, you want random influences and as much potential as possible. A secure Linux server sadly should act more like a nuclear power plant as break ins will cause fallout than a herb garden. Ciao, Marcus On Mon, Dec 05, 2011 at 08:40:41AM -0800, Greg KH wrote:
Again, what is exploitable today, it will be fixed.
Seeing that even interrupt numbers / timings are used to guess passwords nearly any information can be a side channel of sensitive information.
I understand your feeling that we are exposing "too much", but without a specific example of what is wrong here, I'm not going to want to see anything changed.
So: Does "perf" need to run as user, or can it just be run as "root"?
It can run as user, and it provides very good statistics as a user, you should try it sometime :)
Could we restrict the mount permissions of debugfs to only be root readable?
No, a patch to do so was rejected upstream for the reasons I cite above.
thanks,
greg k-h
-- Working, but not speaking, for the following german company: SUSE LINUX Products GmbH, HRB 16746 (AG Nuernberg) Geschaeftsfuehrer: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
Hi, On Tue, 6 Dec 2011, Marcus Meissner wrote:
A secure Linux server sadly should act more like a nuclear power plant as break ins will cause fallout than a herb garden.
I think it would be reasonable for a server to not mount debugfs by default. If it's a test server (or something else than a server) where it's expected to do profiling it could be mounted. Perhaps it would be an idea to not mount debugfs by default, but only when perf is installed. What this means for the default for different products I don't know. Possibly SLES, don't mount; SLED/openSUSE, mount. Ciao, Michael. -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Tue, Dec 06, 2011 at 03:09:12PM +0100, Marcus Meissner wrote:
Hi,
I think it is a very deep conceptual issue and a very deep difference in thinking about availability of features...
"As close and restricted as possible" vs "allow as much as possible".
Lets see two cases:
If you are building a nuclear power plant, you want everything specified and doing exactly the thing you want it to do, but nothing more. You want everything documented, proven to be only there if needed, and doing just the things it needs to do.
If you are building an experimental herb and flower garden, you want random influences and as much potential as possible.
A secure Linux server sadly should act more like a nuclear power plant as break ins will cause fallout than a herb garden.
Again, what specifically is wrong with debugfs that is causing problems? Is it just the fear of the unknown? procfs "leaks" more system information today than debugfs does, do you want to not allow that to be mounted as well? This "fear of the unknown" for a feature of the kernel that has been there for a very long time is quite strange to me. And again, if there are problems found with any type of security related information leakage that should not be there in debugfs, let us know, it will get fixed. But don't outright ban the thing just because you are "afraid" of it, that's wrong. thanks, greg k-h -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Tue, Dec 06, 2011 at 07:37:10AM -0800, Greg KH wrote: ...
Again, what specifically is wrong with debugfs that is causing problems?
Nothing.
Is it just the fear of the unknown?
The fear of the yet undiscovered problems.
procfs "leaks" more system information today than debugfs does, do you want to not allow that to be mounted as well?
You might be aware that I am one of the guys supporting that it exports _less_ information and that it already exports these days less than previous versions. /proc is so deep entrenched in compatibility concerns it is hard to do sadly.
This "fear of the unknown" for a feature of the kernel that has been there for a very long time is quite strange to me.
And again, if there are problems found with any type of security related information leakage that should not be there in debugfs, let us know, it will get fixed.
But don't outright ban the thing just because you are "afraid" of it, that's wrong.
Please try to think as a security worker for a short moment... "If there are problems, tell us, we fix it" ... this is the way the security world works today (and it works basically). But this is a huge and ever turning treadmill where we (security and developers) can barely keep up running. What we (security and likely our users) want is a smaller or lower running treadmill. This means reducing what we call (and should be self explanatory) "attack surface". And yes, it is fear. Fear of the "yet unknown security holes the blackhats know about" or for our users the fear of "unknown if hackers have broken in already because we have not all updates or unknown issues." Do you not manage server(s) and fear such breakins? Ciao, Marcus PS: You can now stop thinking like me again... :) -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Tue, Dec 06, 2011 at 05:32:55PM +0100, Marcus Meissner wrote:
On Tue, Dec 06, 2011 at 07:37:10AM -0800, Greg KH wrote: ...
Again, what specifically is wrong with debugfs that is causing problems?
Nothing.
Is it just the fear of the unknown?
The fear of the yet undiscovered problems.
That fear will always be there, it conflicts with the need/want for new features and functionality.
This "fear of the unknown" for a feature of the kernel that has been there for a very long time is quite strange to me.
And again, if there are problems found with any type of security related information leakage that should not be there in debugfs, let us know, it will get fixed.
But don't outright ban the thing just because you are "afraid" of it, that's wrong.
Please try to think as a security worker for a short moment...
Please remember that my first full-time Linux job was as a security worker, I know this field very well. Because of that job, the whole LSM layer in the kernel was created to try to mitigate these types of problems, along with the product that today is called apparmor. That tool does mitigate the attack surface very well, and we support it for people who are worried about just such things.
"If there are problems, tell us, we fix it" ... this is the way the security world works today (and it works basically).
But this is a huge and ever turning treadmill where we (security and developers) can barely keep up running.
What we (security and likely our users) want is a smaller or lower running treadmill.
Of course, but then again, you need to balance it with the need of those same users for those new features and requirements. To shut down whole subsystems of the kernel just because you "fear" it, and have not audited it all to your satisfaction is one reaction, but one that again, goes against what has made Linux successful in the first place (fast moving where competitors did not.)
This means reducing what we call (and should be self explanatory) "attack surface".
And yes, it is fear.
Fear of the "yet unknown security holes the blackhats know about" or for our users the fear of "unknown if hackers have broken in already because we have not all updates or unknown issues."
Do you not manage server(s) and fear such breakins?
I do manage such servers, and I do reduce the attack surface on them. But here you are saying that you want to wholesale remove functionality by default, of systems that have already shipped, just because you now fear the unknown of what is in them. Why not take the 2-3 days and audit the files to remove that fear that you seem to have. That seems like the more sane aproach here, not going around saying "your 12.1 system is now exposed to the elements, quick, change the defaults because we really have no idea what is going on here!", which is what is happening now, right? thanks, greg k-h -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
participants (4)
-
Greg KH -
Jeff Mahoney -
Marcus Meissner -
Michael Matz