[gentoo-dev] [SECURITY] Minimizing the suid usage

[gentoo-dev] [SECURITY] Minimizing the suid usage

[Alon Bar-Lev]

Hello All,

linux-2.6.24 supports file based capabilities via:
CONFIG_SECURITY_FILE_CAPABILITIES

This enables the use of filesystem attributes in order to store per
executable capabilities list, more information at [1].

This enables improved security level for people who don't wish to move
into SELinux or similar.

I think a new global USE flags (or use current caps) may enable
ebuilds to set correct capabilities on files.

On my system at least: ping, ping6, tcpdump, wireshark, samba, ntpd,
rlogin, vmware may enjoy this and drop the root suid.

In order to make it simple for everybody, a new eclass may be
introduced to force dependency on >=libcap-2 and provide some atoms.

This will provide more secured installation for users with a little
effort, less usage of root user.

What do you think?

Alon.

[1] http://www.friedhoff.org/fscaps.html
-- 
gentoo-dev@lists.gentoo.org mailing list

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 777 bytes --]

On Sun, 23 Mar 2008 20:21:29 +0200
"Alon Bar-Lev" <alonbl@gentoo.org> wrote:
> linux-2.6.24 supports file based capabilities via:
> CONFIG_SECURITY_FILE_CAPABILITIES
> 
> This will provide more secured installation for users with a little
> effort, less usage of root user.
> 
> What do you think?

Needs package manager support. Effectively this requires an EAPI bump,
since ebuilds need to know whether they can rely upon caps being
preserved across a merge or whether they have to degrade to a setuid
bit.

Package manager support shouldn't be very hard, and there just needs to
be a minimal interface for it, so an EAPI proposal shouldn't be tricky
(and if there's call for it, you could ask for EAPI 2 being EAPI 1 +
file caps).

-- 
Ciaran McCreesh

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Alon Bar-Lev]

On 3/23/08, Ciaran McCreesh <ciaran.mccreesh@googlemail.com> wrote:
> On Sun, 23 Mar 2008 20:21:29 +0200
>  "Alon Bar-Lev" <alonbl@gentoo.org> wrote:
>  > linux-2.6.24 supports file based capabilities via:
>  > CONFIG_SECURITY_FILE_CAPABILITIES
>  >
>
> > This will provide more secured installation for users with a little
>  > effort, less usage of root user.
>  >
>  > What do you think?
>
>
> Needs package manager support. Effectively this requires an EAPI bump,
>  since ebuilds need to know whether they can rely upon caps being
>  preserved across a merge or whether they have to degrade to a setuid
>  bit.

Why? A simple USE flag should be enough, if set use caps, if not use current.

Alon.
-- 
gentoo-dev@lists.gentoo.org mailing list

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 625 bytes --]

On Sun, 23 Mar 2008 20:30:33 +0200
"Alon Bar-Lev" <alonbl@gentoo.org> wrote:
> > Needs package manager support. Effectively this requires an EAPI
> > bump, since ebuilds need to know whether they can rely upon caps
> > being preserved across a merge or whether they have to degrade to a
> > setuid bit.
> 
> Why? A simple USE flag should be enough, if set use caps, if not use
> current.

A user turns the use flag on, the ebuild creates files using caps
rather than set*id, the package manager merges it by copying the file
and the installed file ends up with no caps and no set*id bit.

-- 
Ciaran McCreesh

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Alon Bar-Lev]

On 3/23/08, Ciaran McCreesh <ciaran.mccreesh@googlemail.com> wrote:
>  > Why? A simple USE flag should be enough, if set use caps, if not use
>  > current.
>
>
> A user turns the use flag on, the ebuild creates files using caps
>  rather than set*id, the package manager merges it by copying the file
>  and the installed file ends up with no caps and no set*id bit.

File system attributes already supported for selinux. I also checked
this with capabilities and it works with portage.

Alon.
-- 
gentoo-dev@lists.gentoo.org mailing list

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 651 bytes --]

On Sun, 23 Mar 2008 20:45:24 +0200
"Alon Bar-Lev" <alonbl@gentoo.org> wrote:
> On 3/23/08, Ciaran McCreesh <ciaran.mccreesh@googlemail.com> wrote:
> >  > Why? A simple USE flag should be enough, if set use caps, if not
> >  > use current.
> >
> >
> > A user turns the use flag on, the ebuild creates files using caps
> >  rather than set*id, the package manager merges it by copying the
> > file and the installed file ends up with no caps and no set*id bit.
> 
> File system attributes already supported for selinux. I also checked
> this with capabilities and it works with portage.

But they aren't upscaled.

-- 
Ciaran McCreesh

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 764 bytes --]

On Sunday 23 March 2008, Alon Bar-Lev wrote:
> linux-2.6.24 supports file based capabilities via:
> CONFIG_SECURITY_FILE_CAPABILITIES
>
> This enables the use of filesystem attributes in order to store per
> executable capabilities list, more information at [1].
>
> This enables improved security level for people who don't wish to move
> into SELinux or similar.
>
> I think a new global USE flags (or use current caps) may enable
> ebuilds to set correct capabilities on files.

Diego and i were talking ... we're going to go with USE=filecaps because it's 
so new and doesnt require the libcap library in order to work at runtime.  
probably be worthwhile to put together a little eclass of functions to make 
people's lives easier ...
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Alon Bar-Lev]

On 3/24/08, Mike Frysinger <vapier@gentoo.org> wrote:
> Diego and i were talking ... we're going to go with USE=filecaps because it's
>  so new and doesnt require the libcap library in order to work at runtime.
>  probably be worthwhile to put together a little eclass of functions to make
>  people's lives easier ...

Great!!!
You write eclass, me start patching ebuilds and open bugs against maintainers :)

Alon.
-- 
gentoo-dev@lists.gentoo.org mailing list

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 586 bytes --]

On Mon, 24 Mar 2008 14:27:39 +0200
"Alon Bar-Lev" <alonbl@gentoo.org> wrote:
> On 3/24/08, Mike Frysinger <vapier@gentoo.org> wrote:
> > Diego and i were talking ... we're going to go with USE=filecaps
> > because it's so new and doesnt require the libcap library in order
> > to work at runtime. probably be worthwhile to put together a little
> > eclass of functions to make people's lives easier ...
> 
> Great!!!
> You write eclass, me start patching ebuilds and open bugs against
> maintainers :)

Uh, you missed out the whole "new EAPI" step.

-- 
Ciaran McCreesh

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 1065 bytes --]

On Monday 24 March 2008, Alon Bar-Lev wrote:
> On 3/24/08, Mike Frysinger <vapier@gentoo.org> wrote:
> > Diego and i were talking ... we're going to go with USE=filecaps because
> > it's so new and doesnt require the libcap library in order to work at
> > runtime. probably be worthwhile to put together a little eclass of
> > functions to make people's lives easier ...
>
> Great!!!
> You write eclass, me start patching ebuilds and open bugs against
> maintainers :)

eclass wrapping will also allow us to abstract away the fun OS details, but 
we'll start with linux for now.

how much do we want to help the user ?  if they have USE=filecaps, then dont 
perform any checking ?  we'll need a kernel with file capabilities turned on, 
otherwise the prog wont work unless it's setuid ... so do we perform checking 
and drop the setuid bit on the post sly ?  i'd prefer we just make the 
filecaps desc verbose: dont set this unless you have new enough kernel with 
options enabled, otherwise things may stop working properly as non-root.
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Alon Bar-Lev]

On 3/24/08, Mike Frysinger <vapier@gentoo.org> wrote:
>  how much do we want to help the user ?  if they have USE=filecaps, then dont
>  perform any checking ?  we'll need a kernel with file capabilities turned on,
>  otherwise the prog wont work unless it's setuid ... so do we perform checking
>  and drop the setuid bit on the post sly ?  i'd prefer we just make the
>  filecaps desc verbose: dont set this unless you have new enough kernel with
>  options enabled, otherwise things may stop working properly as non-root.

I also prefer descriptive warning and not runtime checks. Worse case
scenario, system will be usable for root only. root can remove this
USE flag and emerge --update --deep --newuse world.

Alon.
-- 
gentoo-dev@lists.gentoo.org mailing list

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 489 bytes --]

On Sun, 23 Mar 2008 20:45:24 +0200
"Alon Bar-Lev" <alonbl@gentoo.org> wrote:
> File system attributes already supported for selinux. I also checked
> this with capabilities and it works with portage.

Looking at this some more... What makes you say that? So far as I can
see, whether or not they're preserved by Portage is highly dependent
upon user setup. In particular, did you test it where your build and
install directories were on different devices?

-- 
Ciaran McCreesh

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Bruno Prémont]

On Sun, 23 Mar 2008 Alon Bar-Lev wrote:
> Hello All,
> 
> linux-2.6.24 supports file based capabilities via:
> CONFIG_SECURITY_FILE_CAPABILITIES
> 
> This enables the use of filesystem attributes in order to store per
> executable capabilities list, more information at [1].
> 
> This enables improved security level for people who don't wish to move
> into SELinux or similar.
> 
> I think a new global USE flags (or use current caps) may enable
> ebuilds to set correct capabilities on files.
> 
> On my system at least: ping, ping6, tcpdump, wireshark, samba, ntpd,
> rlogin, vmware may enjoy this and drop the root suid.
> 
> In order to make it simple for everybody, a new eclass may be
> introduced to force dependency on >=libcap-2 and provide some atoms.
> 
> This will provide more secured installation for users with a little
> effort, less usage of root user.
> 
> What do you think?
> 
> Alon.
> 
> [1] http://www.friedhoff.org/fscaps.html

Has any progress happened since March for adding support for
FILE_CAPABILITIES?

Bruno

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 338 bytes --]

On Tue, 5 Aug 2008 10:51:09 +0200
Bruno Prémont <bonbons67@internet.lu> wrote:
> Has any progress happened since March for adding support for
> FILE_CAPABILITIES?

Well, Alon still hasn't backed up his claim that Portage supports
capabilities... Fairly important to establish that before anything
else...

-- 
Ciaran McCreesh

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-dev] [SECURITY] Minimizing the suid usage

[Bruno]

On Tue, 05 August 2008 Ciaran McCreesh wrote:
> On Tue, 5 Aug 2008 10:51:09 +0200 Bruno Prémont wrote:
> > Has any progress happened since March for adding support for
> > FILE_CAPABILITIES?
> 
> Well, Alon still hasn't backed up his claim that Portage supports
> capabilities... Fairly important to establish that before anything
> else...
> 
In case the package manager has trouble with attributes (or the target
filesystem does not support them) a way to keep the system running
would be to apply the capabilities during src_install and have the
eclass check during pkg_postinst, eventually retrying and finally
falling back to suid at that point.
Even binpkg would be handled that way.

For this to work the eclass would have to remember the list of files
from src_install until pkg_postinst so that it can do all the work once
again (with a single call from the ebuild).

Bruno