* [gentoo-dev] [SECURITY] Minimizing the suid usage
@ 2008-03-23 18:21 Alon Bar-Lev
2008-03-23 18:26 ` Ciaran McCreesh
` (2 more replies)
0 siblings, 3 replies; 15+ messages in thread
From: Alon Bar-Lev @ 2008-03-23 18:21 UTC (permalink / raw
To: gentoo-dev
Hello All,
linux-2.6.24 supports file based capabilities via:
CONFIG_SECURITY_FILE_CAPABILITIES
This enables the use of filesystem attributes in order to store per
executable capabilities list, more information at [1].
This enables improved security level for people who don't wish to move
into SELinux or similar.
I think a new global USE flags (or use current caps) may enable
ebuilds to set correct capabilities on files.
On my system at least: ping, ping6, tcpdump, wireshark, samba, ntpd,
rlogin, vmware may enjoy this and drop the root suid.
In order to make it simple for everybody, a new eclass may be
introduced to force dependency on >=libcap-2 and provide some atoms.
This will provide more secured installation for users with a little
effort, less usage of root user.
What do you think?
Alon.
[1] http://www.friedhoff.org/fscaps.html
--
gentoo-dev@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-23 18:21 [gentoo-dev] [SECURITY] Minimizing the suid usage Alon Bar-Lev
@ 2008-03-23 18:26 ` Ciaran McCreesh
2008-03-23 18:30 ` Alon Bar-Lev
2008-03-24 11:50 ` Mike Frysinger
2008-08-05 8:51 ` Bruno Prémont
2 siblings, 1 reply; 15+ messages in thread
From: Ciaran McCreesh @ 2008-03-23 18:26 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 777 bytes --]
On Sun, 23 Mar 2008 20:21:29 +0200
"Alon Bar-Lev" <alonbl@gentoo.org> wrote:
> linux-2.6.24 supports file based capabilities via:
> CONFIG_SECURITY_FILE_CAPABILITIES
>
> This will provide more secured installation for users with a little
> effort, less usage of root user.
>
> What do you think?
Needs package manager support. Effectively this requires an EAPI bump,
since ebuilds need to know whether they can rely upon caps being
preserved across a merge or whether they have to degrade to a setuid
bit.
Package manager support shouldn't be very hard, and there just needs to
be a minimal interface for it, so an EAPI proposal shouldn't be tricky
(and if there's call for it, you could ask for EAPI 2 being EAPI 1 +
file caps).
--
Ciaran McCreesh
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-23 18:26 ` Ciaran McCreesh
@ 2008-03-23 18:30 ` Alon Bar-Lev
2008-03-23 18:34 ` Ciaran McCreesh
0 siblings, 1 reply; 15+ messages in thread
From: Alon Bar-Lev @ 2008-03-23 18:30 UTC (permalink / raw
To: gentoo-dev
On 3/23/08, Ciaran McCreesh <ciaran.mccreesh@googlemail.com> wrote:
> On Sun, 23 Mar 2008 20:21:29 +0200
> "Alon Bar-Lev" <alonbl@gentoo.org> wrote:
> > linux-2.6.24 supports file based capabilities via:
> > CONFIG_SECURITY_FILE_CAPABILITIES
> >
>
> > This will provide more secured installation for users with a little
> > effort, less usage of root user.
> >
> > What do you think?
>
>
> Needs package manager support. Effectively this requires an EAPI bump,
> since ebuilds need to know whether they can rely upon caps being
> preserved across a merge or whether they have to degrade to a setuid
> bit.
Why? A simple USE flag should be enough, if set use caps, if not use current.
Alon.
--
gentoo-dev@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-23 18:30 ` Alon Bar-Lev
@ 2008-03-23 18:34 ` Ciaran McCreesh
2008-03-23 18:45 ` Alon Bar-Lev
0 siblings, 1 reply; 15+ messages in thread
From: Ciaran McCreesh @ 2008-03-23 18:34 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 625 bytes --]
On Sun, 23 Mar 2008 20:30:33 +0200
"Alon Bar-Lev" <alonbl@gentoo.org> wrote:
> > Needs package manager support. Effectively this requires an EAPI
> > bump, since ebuilds need to know whether they can rely upon caps
> > being preserved across a merge or whether they have to degrade to a
> > setuid bit.
>
> Why? A simple USE flag should be enough, if set use caps, if not use
> current.
A user turns the use flag on, the ebuild creates files using caps
rather than set*id, the package manager merges it by copying the file
and the installed file ends up with no caps and no set*id bit.
--
Ciaran McCreesh
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-23 18:34 ` Ciaran McCreesh
@ 2008-03-23 18:45 ` Alon Bar-Lev
2008-03-23 22:02 ` Ciaran McCreesh
2008-04-01 10:50 ` Ciaran McCreesh
0 siblings, 2 replies; 15+ messages in thread
From: Alon Bar-Lev @ 2008-03-23 18:45 UTC (permalink / raw
To: gentoo-dev
On 3/23/08, Ciaran McCreesh <ciaran.mccreesh@googlemail.com> wrote:
> > Why? A simple USE flag should be enough, if set use caps, if not use
> > current.
>
>
> A user turns the use flag on, the ebuild creates files using caps
> rather than set*id, the package manager merges it by copying the file
> and the installed file ends up with no caps and no set*id bit.
File system attributes already supported for selinux. I also checked
this with capabilities and it works with portage.
Alon.
--
gentoo-dev@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-23 18:45 ` Alon Bar-Lev
@ 2008-03-23 22:02 ` Ciaran McCreesh
2008-04-01 10:50 ` Ciaran McCreesh
1 sibling, 0 replies; 15+ messages in thread
From: Ciaran McCreesh @ 2008-03-23 22:02 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 651 bytes --]
On Sun, 23 Mar 2008 20:45:24 +0200
"Alon Bar-Lev" <alonbl@gentoo.org> wrote:
> On 3/23/08, Ciaran McCreesh <ciaran.mccreesh@googlemail.com> wrote:
> > > Why? A simple USE flag should be enough, if set use caps, if not
> > > use current.
> >
> >
> > A user turns the use flag on, the ebuild creates files using caps
> > rather than set*id, the package manager merges it by copying the
> > file and the installed file ends up with no caps and no set*id bit.
>
> File system attributes already supported for selinux. I also checked
> this with capabilities and it works with portage.
But they aren't upscaled.
--
Ciaran McCreesh
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-23 18:45 ` Alon Bar-Lev
2008-03-23 22:02 ` Ciaran McCreesh
@ 2008-04-01 10:50 ` Ciaran McCreesh
1 sibling, 0 replies; 15+ messages in thread
From: Ciaran McCreesh @ 2008-04-01 10:50 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 489 bytes --]
On Sun, 23 Mar 2008 20:45:24 +0200
"Alon Bar-Lev" <alonbl@gentoo.org> wrote:
> File system attributes already supported for selinux. I also checked
> this with capabilities and it works with portage.
Looking at this some more... What makes you say that? So far as I can
see, whether or not they're preserved by Portage is highly dependent
upon user setup. In particular, did you test it where your build and
install directories were on different devices?
--
Ciaran McCreesh
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-23 18:21 [gentoo-dev] [SECURITY] Minimizing the suid usage Alon Bar-Lev
2008-03-23 18:26 ` Ciaran McCreesh
@ 2008-03-24 11:50 ` Mike Frysinger
2008-03-24 12:27 ` Alon Bar-Lev
2008-08-05 8:51 ` Bruno Prémont
2 siblings, 1 reply; 15+ messages in thread
From: Mike Frysinger @ 2008-03-24 11:50 UTC (permalink / raw
To: gentoo-dev; +Cc: Alon Bar-Lev
[-- Attachment #1: Type: text/plain, Size: 764 bytes --]
On Sunday 23 March 2008, Alon Bar-Lev wrote:
> linux-2.6.24 supports file based capabilities via:
> CONFIG_SECURITY_FILE_CAPABILITIES
>
> This enables the use of filesystem attributes in order to store per
> executable capabilities list, more information at [1].
>
> This enables improved security level for people who don't wish to move
> into SELinux or similar.
>
> I think a new global USE flags (or use current caps) may enable
> ebuilds to set correct capabilities on files.
Diego and i were talking ... we're going to go with USE=filecaps because it's
so new and doesnt require the libcap library in order to work at runtime.
probably be worthwhile to put together a little eclass of functions to make
people's lives easier ...
-mike
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 827 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-24 11:50 ` Mike Frysinger
@ 2008-03-24 12:27 ` Alon Bar-Lev
2008-03-24 13:20 ` Ciaran McCreesh
2008-03-24 13:53 ` Mike Frysinger
0 siblings, 2 replies; 15+ messages in thread
From: Alon Bar-Lev @ 2008-03-24 12:27 UTC (permalink / raw
To: Mike Frysinger; +Cc: gentoo-dev
On 3/24/08, Mike Frysinger <vapier@gentoo.org> wrote:
> Diego and i were talking ... we're going to go with USE=filecaps because it's
> so new and doesnt require the libcap library in order to work at runtime.
> probably be worthwhile to put together a little eclass of functions to make
> people's lives easier ...
Great!!!
You write eclass, me start patching ebuilds and open bugs against maintainers :)
Alon.
--
gentoo-dev@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-24 12:27 ` Alon Bar-Lev
@ 2008-03-24 13:20 ` Ciaran McCreesh
2008-03-24 13:53 ` Mike Frysinger
1 sibling, 0 replies; 15+ messages in thread
From: Ciaran McCreesh @ 2008-03-24 13:20 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 586 bytes --]
On Mon, 24 Mar 2008 14:27:39 +0200
"Alon Bar-Lev" <alonbl@gentoo.org> wrote:
> On 3/24/08, Mike Frysinger <vapier@gentoo.org> wrote:
> > Diego and i were talking ... we're going to go with USE=filecaps
> > because it's so new and doesnt require the libcap library in order
> > to work at runtime. probably be worthwhile to put together a little
> > eclass of functions to make people's lives easier ...
>
> Great!!!
> You write eclass, me start patching ebuilds and open bugs against
> maintainers :)
Uh, you missed out the whole "new EAPI" step.
--
Ciaran McCreesh
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-24 12:27 ` Alon Bar-Lev
2008-03-24 13:20 ` Ciaran McCreesh
@ 2008-03-24 13:53 ` Mike Frysinger
2008-03-24 13:55 ` Alon Bar-Lev
1 sibling, 1 reply; 15+ messages in thread
From: Mike Frysinger @ 2008-03-24 13:53 UTC (permalink / raw
To: Alon Bar-Lev; +Cc: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 1065 bytes --]
On Monday 24 March 2008, Alon Bar-Lev wrote:
> On 3/24/08, Mike Frysinger <vapier@gentoo.org> wrote:
> > Diego and i were talking ... we're going to go with USE=filecaps because
> > it's so new and doesnt require the libcap library in order to work at
> > runtime. probably be worthwhile to put together a little eclass of
> > functions to make people's lives easier ...
>
> Great!!!
> You write eclass, me start patching ebuilds and open bugs against
> maintainers :)
eclass wrapping will also allow us to abstract away the fun OS details, but
we'll start with linux for now.
how much do we want to help the user ? if they have USE=filecaps, then dont
perform any checking ? we'll need a kernel with file capabilities turned on,
otherwise the prog wont work unless it's setuid ... so do we perform checking
and drop the setuid bit on the post sly ? i'd prefer we just make the
filecaps desc verbose: dont set this unless you have new enough kernel with
options enabled, otherwise things may stop working properly as non-root.
-mike
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 827 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-24 13:53 ` Mike Frysinger
@ 2008-03-24 13:55 ` Alon Bar-Lev
0 siblings, 0 replies; 15+ messages in thread
From: Alon Bar-Lev @ 2008-03-24 13:55 UTC (permalink / raw
To: Mike Frysinger; +Cc: gentoo-dev
On 3/24/08, Mike Frysinger <vapier@gentoo.org> wrote:
> how much do we want to help the user ? if they have USE=filecaps, then dont
> perform any checking ? we'll need a kernel with file capabilities turned on,
> otherwise the prog wont work unless it's setuid ... so do we perform checking
> and drop the setuid bit on the post sly ? i'd prefer we just make the
> filecaps desc verbose: dont set this unless you have new enough kernel with
> options enabled, otherwise things may stop working properly as non-root.
I also prefer descriptive warning and not runtime checks. Worse case
scenario, system will be usable for root only. root can remove this
USE flag and emerge --update --deep --newuse world.
Alon.
--
gentoo-dev@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-03-23 18:21 [gentoo-dev] [SECURITY] Minimizing the suid usage Alon Bar-Lev
2008-03-23 18:26 ` Ciaran McCreesh
2008-03-24 11:50 ` Mike Frysinger
@ 2008-08-05 8:51 ` Bruno Prémont
2008-08-05 8:54 ` Ciaran McCreesh
2 siblings, 1 reply; 15+ messages in thread
From: Bruno Prémont @ 2008-08-05 8:51 UTC (permalink / raw
To: gentoo-dev, Alon Bar-Lev, Mike Frysinger
On Sun, 23 Mar 2008 Alon Bar-Lev wrote:
> Hello All,
>
> linux-2.6.24 supports file based capabilities via:
> CONFIG_SECURITY_FILE_CAPABILITIES
>
> This enables the use of filesystem attributes in order to store per
> executable capabilities list, more information at [1].
>
> This enables improved security level for people who don't wish to move
> into SELinux or similar.
>
> I think a new global USE flags (or use current caps) may enable
> ebuilds to set correct capabilities on files.
>
> On my system at least: ping, ping6, tcpdump, wireshark, samba, ntpd,
> rlogin, vmware may enjoy this and drop the root suid.
>
> In order to make it simple for everybody, a new eclass may be
> introduced to force dependency on >=libcap-2 and provide some atoms.
>
> This will provide more secured installation for users with a little
> effort, less usage of root user.
>
> What do you think?
>
> Alon.
>
> [1] http://www.friedhoff.org/fscaps.html
Has any progress happened since March for adding support for
FILE_CAPABILITIES?
Bruno
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-08-05 8:51 ` Bruno Prémont
@ 2008-08-05 8:54 ` Ciaran McCreesh
2009-01-01 12:23 ` Bruno
0 siblings, 1 reply; 15+ messages in thread
From: Ciaran McCreesh @ 2008-08-05 8:54 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 338 bytes --]
On Tue, 5 Aug 2008 10:51:09 +0200
Bruno Prémont <bonbons67@internet.lu> wrote:
> Has any progress happened since March for adding support for
> FILE_CAPABILITIES?
Well, Alon still hasn't backed up his claim that Portage supports
capabilities... Fairly important to establish that before anything
else...
--
Ciaran McCreesh
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
2008-08-05 8:54 ` Ciaran McCreesh
@ 2009-01-01 12:23 ` Bruno
0 siblings, 0 replies; 15+ messages in thread
From: Bruno @ 2009-01-01 12:23 UTC (permalink / raw
To: gentoo-dev; +Cc: ciaran.mccreesh, Alon Bar-Lev, Mike Frysinger
On Tue, 05 August 2008 Ciaran McCreesh wrote:
> On Tue, 5 Aug 2008 10:51:09 +0200 Bruno Prémont wrote:
> > Has any progress happened since March for adding support for
> > FILE_CAPABILITIES?
>
> Well, Alon still hasn't backed up his claim that Portage supports
> capabilities... Fairly important to establish that before anything
> else...
>
In case the package manager has trouble with attributes (or the target
filesystem does not support them) a way to keep the system running
would be to apply the capabilities during src_install and have the
eclass check during pkg_postinst, eventually retrying and finally
falling back to suid at that point.
Even binpkg would be handled that way.
For this to work the eclass would have to remember the list of files
from src_install until pkg_postinst so that it can do all the work once
again (with a single call from the ebuild).
Bruno
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2009-01-01 12:23 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-03-23 18:21 [gentoo-dev] [SECURITY] Minimizing the suid usage Alon Bar-Lev
2008-03-23 18:26 ` Ciaran McCreesh
2008-03-23 18:30 ` Alon Bar-Lev
2008-03-23 18:34 ` Ciaran McCreesh
2008-03-23 18:45 ` Alon Bar-Lev
2008-03-23 22:02 ` Ciaran McCreesh
2008-04-01 10:50 ` Ciaran McCreesh
2008-03-24 11:50 ` Mike Frysinger
2008-03-24 12:27 ` Alon Bar-Lev
2008-03-24 13:20 ` Ciaran McCreesh
2008-03-24 13:53 ` Mike Frysinger
2008-03-24 13:55 ` Alon Bar-Lev
2008-08-05 8:51 ` Bruno Prémont
2008-08-05 8:54 ` Ciaran McCreesh
2009-01-01 12:23 ` Bruno
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox