Skip to main content
Welcome guest. | Register | Login | Post

Dear distributors...

... please wake up!

No, not in general. You guys are doing a great job. Working on EasyLFS I certainly do know that building a distribution, however small it may be, is a lot of work and deserves respect. And some of you, like the folks behind Fedora and Ubuntu, really drive the development forward by bringing a lot of cool, new stuff.

But something is missing! Yes, it's being totally overlooked, although it's already there and working for quite a while now. POSIX-Capabilities. Yes, you guys deliver all the tools to use them, but you don't utilize them.
Or why is my ping-command still setuid root? That's not necessary at all.

I have played around a bit with capabilites, and I am proud to say that my little distro, EasyLFS, features ping and passwd without the setuid-bit set! Why can't you guys do this?
I have simply followed the instructions that Chris Friedhoff posted well over a year ago.

It's not hard, as you can see there. EasyLFS is a one-man-show, but I did it. It works! Also together with SELinux.

So my question to all you folks out there who make all those big and cool distributions: Why don't you use this? I find it impossible to believe that nobody in the Fedora-/Ubuntu-/Debian-/whatever-team has ever heard about this. But why is nothing going here?
Is it not worth it? I say it certainly is. Isn't it one of the big principles of security to only assign those privileges that are necessary to do a job? So why do Linux-users have to be made root for a simple ping? Or to update their password?

And think about all those other beautiful things that may be possible with POSIX-capabilities? One might give additional power to a user by giving him specific capabilities.
But hey, I guess that's not for you guys to do, but your systems should support it.
But what you guys should do is get rid of the setuid-bit as much as possible and replace it with the appropriate capabilities.

Give us users another reason to be proud of the security of our systems! ;-)

Thank you!
Dennis Wronka

Comments

Re: Dear distributors...

 

Why did you assume Fedora is ignoring it?

https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html

Rahul Sundaram

Re: Dear distributors...

 

"So why do Linux-users have to be made root for a simple ping? Or to update their password?"
Why do you think that users should NOT have to be made root to do these things? It seems to me that if a user can change their password without root privileges, then so could virii or malware.

Re: Dear distributors...

 

@Rahul: Maybe they finally start picking up on it, but so far Fedora doesn't use capabilities.

Quote:

[dennis@raven ~]$ filecap
[dennis@raven ~]$

filecap, part of the package libcap-ng, shows all files in PATH that have capabilities applied to them. As you can see above the output of filecap on a fully patched Fedora 11 is empty. Thus, it has been ignored so far, given that POSIX-capabilities are around for quite a while already.
But thank you for the link. So it seems use of capabilities is targeted for F12. Well, finally.

@Anonymous: Because making a user root (we're talking about automatically through the setuid-bit, not about a manual transition by using su or sudo) gives him too much power. A buggy program thus might lead to an attacker gaining root-access, whereas a buggy program that uses capabilities instead of the setuid-bit would only give certain additional permissions to the attacker.
And your virus- and malware-argument is void as this applies equally for binaries with the setuid-bit set.

Re: Dear distributors...

 

"@Rahul: Maybe they finally start picking up on it, but so far Fedora doesn't use capabilities."

Because it was insanely hard to take advantage of. Fedora developers have made a number of improvements to make this finally possible easily including development of improvements in Linux kernel and development of libcap-ng. Do you understand this?

Re: Dear distributors...

 

I don't understand your animosity, but maybe I just misread your post. Please remember that I'm not blaming anybody for not implementing this, and that this is not specifically targeted at Fedora. This is a general call to distributors for why this isn't being done.
But seeing how Fedora is always breaking ground for new stuff it is a bit surprising that it's not there yet. But as said, this is not targeted at any single distribution.

The kernel already supports it for quite a while. Kernel-wise I'm pretty sure it would have been possible with F8 already. Also I don't see libcap-ng as a real necessity to use capabilities. libcap is totally sufficient to make use of this.

One possible limitation might be RPM. I don't play with RPM much, so I am not sure if it's capable store this kind of file-information so that it would be rolled out properly on installation. If that's the reason for not having it yet, well, fair enough.

Also, please don't mistake me as a regular end-user. ;-)

As said, I don't see where there is a necessity for animosity. I am happy that you pointed out that this is being worked on now. Also I understand that the benefits from this aren't huge, and that maybe other things may be considered more important.

Also I am happy that my article obviously was read by at least one distro-maker, which means that it's fulfilled it's purpose.

?

 

F10 box:
$ ping www.google.com
PING www.l.google.com (66.102.11.99) 56(84) bytes of data.
64 bytes from www.google.com (66.102.11.99): icmp_seq=1 ttl=57 time=21.6 ms
^C
--- www.l.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 461ms
rtt min/avg/max/mdev = 21.634/21.634/21.634/0.000 ms
$ passwd
Changing password for user person.
Changing password for person.
(current) UNIX password:

Re: Dear distributors...

 

I guess with this output you are trying to tell me that a regular user can ping and change his password, right?
Well, yes, he can, but that is because those binaries have the setuid-bit set. Once they are run they effectively turn you into root, for the duration of their execution.
Now one of those programs might have an exploitable bug that may give the user a shell with escalated permissions, in the case of setuid root this would be root-permissions.

Check this:

sudo chmod +s $(which whoami)
whoami
sudo chmod -s $(which whoami)

The setuid-bit will effectively turn you into root, although in most cases this is not necessary. Thus it is much better to only provide the user with the set of permissions necessary for the task. And this is exactly what POSIX-capabilities do.
Getting back to my example of getting a shell with escalated permissions, this now would not give the attacker a root-shell, but only a shell with a few extra permissions.

Principle of least privilege

Re: Dear distributors...

 

"The kernel already supports it for quite a while. Kernel-wise I'm pretty sure it would have been possible with F8 already. Also I don't see libcap-ng as a real necessity to use capabilities. libcap is totally sufficient to make use of this."

It would have been possible earlier but not efficient. libcap is not a easy to use library and therein lies your answer on why nobody has been using it yet. The difference between libcap and libcap-ng is the difference between night and day.

"One possible limitation might be RPM. I don't play with RPM much, so I am not sure if it's capable store this kind of file-information so that it would be rolled out properly on installation. If that's the reason for not having it yet, well, fair enough."

RPM has supported it already for sometime.

Rahul Sundaram

Re: Dear distributors...

 

Thanks for pointing this out Rahul.
I have to admit that I haven't played much with libcap-ng yet. But I do plan on catching up on this pretty soon as I also plan to include it into EasyLFS.

Also thanks for the info on RPM. As said, I don't build many RPMs, and thus far never looked into support for extended file-information.

I will spend some time looking into libcap-ng. I'm really interested to see what it offers.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

P