* Busybox on musl is affected by CVE-2015-1817 @ 2015-03-30 5:31 Rich Felker 2015-03-31 19:07 ` Denys Vlasenko 0 siblings, 1 reply; 19+ messages in thread From: Rich Felker @ 2015-03-30 5:31 UTC (permalink / raw) To: busybox; +Cc: musl For details on CVE-2015-1817, see: http://www.openwall.com/lists/musl/2015/03/30/1 With musl-linked Busybox installed setuid and ping enabled, exploiting this issue is trivial. While CVE-2015-1817 is certainly musl's fault, there are two changes to Busybox I'd like to propose that would have prevented it from being exploitable: 1. Having setuid utilities like ping obtain the resource they need (in the case of ping, SOCK_RAW) without processing user input at all, then fully dropping root (setuid(getuid())) before doing anything. This has been standard practice for setuid programs since the 90s and it feels bad that busybox is not doing it. 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for ping, which allows it to run without root. Do either or both of these sound acceptable? Rich ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Busybox on musl is affected by CVE-2015-1817 2015-03-30 5:31 Busybox on musl is affected by CVE-2015-1817 Rich Felker @ 2015-03-31 19:07 ` Denys Vlasenko 2015-03-31 23:11 ` Justin Cormack 2015-03-31 23:48 ` Rich Felker 0 siblings, 2 replies; 19+ messages in thread From: Denys Vlasenko @ 2015-03-31 19:07 UTC (permalink / raw) To: Rich Felker; +Cc: busybox, musl On Mon, Mar 30, 2015 at 7:31 AM, Rich Felker <dalias@libc.org> wrote: > For details on CVE-2015-1817, see: > http://www.openwall.com/lists/musl/2015/03/30/1 > > With musl-linked Busybox installed setuid and ping enabled, exploiting > this issue is trivial. > > While CVE-2015-1817 is certainly musl's fault, there are two changes > to Busybox I'd like to propose that would have prevented it from being > exploitable: > > 1. Having setuid utilities like ping obtain the resource they need (in > the case of ping, SOCK_RAW) without processing user input at all, > then fully dropping root (setuid(getuid())) before doing anything. > This has been standard practice for setuid programs since the 90s > and it feels bad that busybox is not doing it. In general this is acceptable, but with this particular case and CVE, it wouldn't help. create_icmp_socket(lsa) needs to know of which address family the socket should be: if (lsa->u.sa.sa_family == AF_INET6) sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); else sock = socket(AF_INET, SOCK_RAW, 1); /* 1 == ICMP */ This is only known after HOST is parsed. And CVE is in DNS resolving code :( > 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for > ping, which allows it to run without root. This seems to lead to a significantly larger code. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-03-31 19:07 ` Denys Vlasenko @ 2015-03-31 23:11 ` Justin Cormack 2015-03-31 23:51 ` Rich Felker 2015-03-31 23:48 ` Rich Felker 1 sibling, 1 reply; 19+ messages in thread From: Justin Cormack @ 2015-03-31 23:11 UTC (permalink / raw) To: musl; +Cc: Rich Felker, busybox On 31 March 2015 at 20:07, Denys Vlasenko <vda.linux@googlemail.com> wrote: > On Mon, Mar 30, 2015 at 7:31 AM, Rich Felker <dalias@libc.org> wrote: >> For details on CVE-2015-1817, see: >> http://www.openwall.com/lists/musl/2015/03/30/1 >> >> With musl-linked Busybox installed setuid and ping enabled, exploiting >> this issue is trivial. >> >> While CVE-2015-1817 is certainly musl's fault, there are two changes >> to Busybox I'd like to propose that would have prevented it from being >> exploitable: >> >> 1. Having setuid utilities like ping obtain the resource they need (in >> the case of ping, SOCK_RAW) without processing user input at all, >> then fully dropping root (setuid(getuid())) before doing anything. >> This has been standard practice for setuid programs since the 90s >> and it feels bad that busybox is not doing it. > > In general this is acceptable, but with this particular case > and CVE, it wouldn't help. > > create_icmp_socket(lsa) needs to know of which address family > the socket should be: > > if (lsa->u.sa.sa_family == AF_INET6) > sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); > else > sock = socket(AF_INET, SOCK_RAW, 1); /* 1 == ICMP */ > > This is only known after HOST is parsed. > And CVE is in DNS resolving code :( One advantage if the traditional separation of ping and ping6. > >> 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for >> ping, which allows it to run without root. > > This seems to lead to a significantly larger code. Slightly larger code or security holes. Is it really that much bigger? Justin ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-03-31 23:11 ` Justin Cormack @ 2015-03-31 23:51 ` Rich Felker 0 siblings, 0 replies; 19+ messages in thread From: Rich Felker @ 2015-03-31 23:51 UTC (permalink / raw) To: Justin Cormack; +Cc: musl, busybox On Wed, Apr 01, 2015 at 12:11:18AM +0100, Justin Cormack wrote: > On 31 March 2015 at 20:07, Denys Vlasenko <vda.linux@googlemail.com> wrote: > > On Mon, Mar 30, 2015 at 7:31 AM, Rich Felker <dalias@libc.org> wrote: > >> For details on CVE-2015-1817, see: > >> http://www.openwall.com/lists/musl/2015/03/30/1 > >> > >> With musl-linked Busybox installed setuid and ping enabled, exploiting > >> this issue is trivial. > >> > >> While CVE-2015-1817 is certainly musl's fault, there are two changes > >> to Busybox I'd like to propose that would have prevented it from being > >> exploitable: > >> > >> 1. Having setuid utilities like ping obtain the resource they need (in > >> the case of ping, SOCK_RAW) without processing user input at all, > >> then fully dropping root (setuid(getuid())) before doing anything. > >> This has been standard practice for setuid programs since the 90s > >> and it feels bad that busybox is not doing it. > > > > In general this is acceptable, but with this particular case > > and CVE, it wouldn't help. > > > > create_icmp_socket(lsa) needs to know of which address family > > the socket should be: > > > > if (lsa->u.sa.sa_family == AF_INET6) > > sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); > > else > > sock = socket(AF_INET, SOCK_RAW, 1); /* 1 == ICMP */ > > > > This is only known after HOST is parsed. > > And CVE is in DNS resolving code :( > > One advantage if the traditional separation of ping and ping6. I'm against this separation. It relegates IPv6 addresses to second-class status and this kind of treatment is part of the reason why IPv6 support remains spotty. And you don't automatically know in advance if a name is going to resolve to IPv4 or IPv6. > >> 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for > >> ping, which allows it to run without root. > > > > This seems to lead to a significantly larger code. > > Slightly larger code or security holes. Note that in this case it was at the libc level, but this could equally have happened at the busybox level. Also the issue is not exclusive to musl even at the libc level. I seem to recall there being a few vulns in glibc's getaddrinfo over the past couple years which may also have been affected. > Is it really that much bigger? I don't think so. Rich ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Busybox on musl is affected by CVE-2015-1817 2015-03-31 19:07 ` Denys Vlasenko 2015-03-31 23:11 ` Justin Cormack @ 2015-03-31 23:48 ` Rich Felker 2015-04-01 7:41 ` u-wsnj 1 sibling, 1 reply; 19+ messages in thread From: Rich Felker @ 2015-03-31 23:48 UTC (permalink / raw) To: Denys Vlasenko; +Cc: busybox, musl On Tue, Mar 31, 2015 at 09:07:19PM +0200, Denys Vlasenko wrote: > On Mon, Mar 30, 2015 at 7:31 AM, Rich Felker <dalias@libc.org> wrote: > > For details on CVE-2015-1817, see: > > http://www.openwall.com/lists/musl/2015/03/30/1 > > > > With musl-linked Busybox installed setuid and ping enabled, exploiting > > this issue is trivial. > > > > While CVE-2015-1817 is certainly musl's fault, there are two changes > > to Busybox I'd like to propose that would have prevented it from being > > exploitable: > > > > 1. Having setuid utilities like ping obtain the resource they need (in > > the case of ping, SOCK_RAW) without processing user input at all, > > then fully dropping root (setuid(getuid())) before doing anything. > > This has been standard practice for setuid programs since the 90s > > and it feels bad that busybox is not doing it. > > In general this is acceptable, but with this particular case > and CVE, it wouldn't help. Sure it does. > create_icmp_socket(lsa) needs to know of which address family > the socket should be: > > if (lsa->u.sa.sa_family == AF_INET6) > sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); > else > sock = socket(AF_INET, SOCK_RAW, 1); /* 1 == ICMP */ > > This is only known after HOST is parsed. > And CVE is in DNS resolving code :( The solution is simple: create both raw sockets and close the one you don't need later. There's probably also a way to use the AF_INET6 raw socket or IPv4 ping, but I don't know right off. > > 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for > > ping, which allows it to run without root. > > This seems to lead to a significantly larger code. I don't recall the exact amount, but given that busybox's suid framework is not taking any precautions to mitigate the risks of suid (not to mention that eliminating all suids is a goal of some security-conscious systems integrators) I think it would be worth it even if it doubled the size of the ping utility (which it does not). Rich ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-03-31 23:48 ` Rich Felker @ 2015-04-01 7:41 ` u-wsnj 2015-04-01 7:52 ` Raphael Cohn 2015-04-01 8:11 ` Harald Becker 0 siblings, 2 replies; 19+ messages in thread From: u-wsnj @ 2015-04-01 7:41 UTC (permalink / raw) To: musl; +Cc: busybox On Tue, Mar 31, 2015 at 07:48:10PM -0400, Rich Felker wrote: > > > 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for > > > ping, which allows it to run without root. > > > > This seems to lead to a significantly larger code. > > I don't recall the exact amount, but given that busybox's suid > framework is not taking any precautions to mitigate the risks of suid > (not to mention that eliminating all suids is a goal of some > security-conscious systems integrators) Yes it is here (the goal). Suid is a very old and nowadays quite redundant tool, mostly holding ground due to its "simplicity" (say, compared to talking to a daemon) and to the tradition. Seen from a different perspective, it is from the pre-network epoch ("the computer is the universe") and enforces among others hardcoded paths - which is a PITA for reusable and globally placed software. > I think it would be worth it > even if it doubled the size of the ping utility (which it does not). +1 Rune ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-01 7:41 ` u-wsnj @ 2015-04-01 7:52 ` Raphael Cohn 2015-04-01 8:11 ` Harald Becker 1 sibling, 0 replies; 19+ messages in thread From: Raphael Cohn @ 2015-04-01 7:52 UTC (permalink / raw) To: musl [-- Attachment #1: Type: text/plain, Size: 1591 bytes --] Rich, Justin, Rune: Seconded. The need for a discussion here is deeply worrying. It's not smaller code if it's insecure code. And given two very viable techniques, it seems moot. Personally, I'd be in favour of the SOCK_DGRAM approach, as it eliminates the need for setuid. How difficult would it be for someone to maintain this patch in a forked BusyBox, or as a compile option (turned on by default)? (I'd be happy to help with this). Is this something Alpine Linux might consider? On 1 April 2015 at 08:41, <u-wsnj@aetey.se> wrote: > On Tue, Mar 31, 2015 at 07:48:10PM -0400, Rich Felker wrote: > > > > 2. Reconsider the rejection of the patch to add SOCK_DGRAM support > for > > > > ping, which allows it to run without root. > > > > > > This seems to lead to a significantly larger code. > > > > I don't recall the exact amount, but given that busybox's suid > > framework is not taking any precautions to mitigate the risks of suid > > (not to mention that eliminating all suids is a goal of some > > security-conscious systems integrators) > > Yes it is here (the goal). > > Suid is a very old and nowadays quite redundant tool, mostly holding > ground due to its "simplicity" (say, compared to talking to a daemon) > and to the tradition. Seen from a different perspective, it is from the > pre-network epoch ("the computer is the universe") and enforces among > others hardcoded paths - which is a PITA for reusable and globally > placed software. > > > I think it would be worth it > > even if it doubled the size of the ping utility (which it does not). > > +1 > > Rune > > [-- Attachment #2: Type: text/html, Size: 2116 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-01 7:41 ` u-wsnj 2015-04-01 7:52 ` Raphael Cohn @ 2015-04-01 8:11 ` Harald Becker 2015-04-01 8:49 ` u-wsnj 1 sibling, 1 reply; 19+ messages in thread From: Harald Becker @ 2015-04-01 8:11 UTC (permalink / raw) To: musl Hi ! On 01.04.2015 09:41, u-wsnj@aetey.se wrote: > Suid is a very old and nowadays quite redundant tool, mostly holding > ground due to its "simplicity" (say, compared to talking to a daemon) > and to the tradition. Seen from a different perspective, it is from the > pre-network epoch ("the computer is the universe") and enforces among > others hardcoded paths - which is a PITA for reusable and globally > placed software. IMO suid and sgid has there advantage over complex communication with separate running daemons, but there is one topic, which is missed by so many discussions about this: There is a big difference if you talk about suid *root* programs or other suid usage. The former is definitely very dangerous and should be used with extreme care (I think this is the case we are talking about), the later use may even be used to drop privileges (not to raise), or to temporarily hop to the privileges of a different user (may be allowing access to some files only by using specific commands). When used with care and as intended, suid and sgid is a nice feature, but nowadays there are too many Unix novices, who misunderstand or misuse this, punching big holes in every security concern. >> I think it would be worth it >> even if it doubled the size of the ping utility (which it does not). > +1 ACK +1 -- Harald ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-01 8:11 ` Harald Becker @ 2015-04-01 8:49 ` u-wsnj 2015-04-02 13:56 ` Harald Becker 2015-04-02 15:38 ` Re: Busybox on musl is affected by CVE-2015-1817 Rich Felker 0 siblings, 2 replies; 19+ messages in thread From: u-wsnj @ 2015-04-01 8:49 UTC (permalink / raw) To: musl Hi Harald, On Wed, Apr 01, 2015 at 10:11:51AM +0200, Harald Becker wrote: > There is a big difference if you talk about suid > *root* programs or other suid usage. > > The former is definitely very dangerous and should be used with extreme care > (I think this is the case we are talking about), the later use may even be > used to drop privileges (not to raise), or to temporarily hop to the You are right about a remarkable difference between suid root and suid somethingelse, just because root has the very special role in Unix. Besides root vs non-root I doubt there is any clear line between "raising" and "dropping" privileges, you replace one set of allowed operations by a different one, that's it. Note that root does not need suid to drop its privileges. > privileges of a different user (may be allowing access to some files only by > using specific commands). As soon as a program is setuid it has to be written for the purpose of very reliably checking and limiting what it does on behalf of who, independently of how it can potentially be invoked "out of context". This is known to be hard, I believe it is harder to do reliably than e.g. issue a request to a daemon - talking about the complexity level. Thus the setuid program is to be designed to be as small as possible, presumably leaving all non-checking functions to (a) different executable(s). Then the result becomes about as intricate as talking to a daemon, which can be run without any setuid. > When used with care and as intended, suid and sgid is a nice feature, but Unfortunately I can not really appreciate its beauty which appears to hide the complexity and/or move it to other parties (like the dynamic linker or the software maintenance infrastructure). Yes it "looks simple and efficient" but is it, really? > nowadays there are too many Unix novices, who misunderstand or misuse this, > punching big holes in every security concern. Unfortunately even seasoned gurus easily create / fail to notice holes! :( Rune ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-01 8:49 ` u-wsnj @ 2015-04-02 13:56 ` Harald Becker 2015-04-02 17:26 ` Рысь 2015-04-02 15:38 ` Re: Busybox on musl is affected by CVE-2015-1817 Rich Felker 1 sibling, 1 reply; 19+ messages in thread From: Harald Becker @ 2015-04-02 13:56 UTC (permalink / raw) To: musl Hi ! On 01.04.2015 10:49, u-wsnj@aetey.se wrote: > Note that root does not need suid to drop its privileges. Yes, but may benefit from the simplicity to do the drop: Consider a suid program to a low privileged user, whenever that program is called from any root process, the called program automatically drops it's privileges. So you do not need to drop privileges in every possible caller. >> privileges of a different user (may be allowing access to some >> files only by using specific commands). > > As soon as a program is setuid it has to be written for the purpose > of very reliably checking and limiting what it does on behalf of > who, independently of how it can potentially be invoked "out of > context". ACK. Any program going to be used with suid, or sgid has to be designed for this. > This is known to be hard, I believe it is harder to do reliably than > e.g. issue a request to a daemon - talking about the complexity > level. Hard? A single getuid() call gives the user id of the calling user (real user id), where the program runns with the priviledges of the effective user (geteuid). So you can pick the real user id and check this against a list of allowed users; same to getgid(). In addition: suid programs should set the owning group and permisions carefully, e.g. fileuser:accessgroup owner=suid+x, group=x, other=none; where the directories and files are owned by fileuser, with permissions only to that user and nobody else. A simple mechanism giving you a shield protecting your data from being tampered by any other users programs (except root), but still all users which are a member of group accessgroup can use your program, and access the data in the intended manner. > Thus the setuid program is to be designed to be as small as > possible, presumably leaving all non-checking functions to (a) > different executable(s). True, for suid *root* programs, but otherwise I doubt. I see no such need in e.g. the example above. > Then the result becomes about as intricate as talking to a daemon, > which can be run without any setuid. I never told talking to a daemon is of no use, but many suid usages are possible without the daemon overhead, and still not risking security violations. The big flaws are: a) setting suid for a program never designed for that use b) suid *root* (flaw by design) IMO the case b should be blocked by the kernel and replaced with a more reliable reaction: Whenever the kernel detects a suid *root* program, it does not start that program, but picks a configured path, for a statically linked binary, with owner root, only executable by root, and no permissions to others. That program shall be started by the kernel, giving the path to the called program as first argument, then the remaining arguments. This single *real suid root* program get than control (single point of failure), and has to do the security relevant part (as you mentioned above). Only when there is no doubt of usage, this single program drops the privileges to the determined / required user, and then exec to the intended program. In other words, any program marked suid root is automatically invoked through a program like sudo, which does the security checking, before invoking any other code ... but without need of manually reentering that sudo command on every program invocation. This would be a very simple change in the kernel, giving a big step to more security ... but still such things are missing :( >> When used with care and as intended, suid and sgid is a nice >> feature, but > > Unfortunately I can not really appreciate its beauty which appears to > hide the complexity and/or move it to other parties (like the dynamic > linker or the software maintenance infrastructure). Yes it "looks > simple and efficient" but is it, really? Not talking about suid *root*, which difficulties do you see? It's beauty lies in it's simplicity and efficiency, but it's danger in the widely misunderstanding and unintended usage. >> nowadays there are too many Unix novices, who misunderstand or >> misuse this, punching big holes in every security concern. > > Unfortunately even seasoned gurus easily create / fail to notice > holes! :( We are all humans and make mistakes, but a lot of those gurus forget about this ... ok, they are gurus and no more humans ;) See above: suid to *not root* is ok, suid *root* is flaw by design :( Harald ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-02 13:56 ` Harald Becker @ 2015-04-02 17:26 ` Рысь 2015-04-02 18:16 ` Harald Becker 2015-04-02 18:36 ` u-wsnj 0 siblings, 2 replies; 19+ messages in thread From: Рысь @ 2015-04-02 17:26 UTC (permalink / raw) To: musl On Thu, 02 Apr 2015 15:56:04 +0200 Harald Becker <ralda@gmx.de> wrote: > Hi ! > > On 01.04.2015 10:49, u-wsnj@aetey.se wrote: > > Note that root does not need suid to drop its privileges. > > Yes, but may benefit from the simplicity to do the drop: > > Consider a suid program to a low privileged user, whenever that > program is called from any root process, the called program > automatically drops it's privileges. So you do not need to drop > privileges in every possible caller. > > > >> privileges of a different user (may be allowing access to some > >> files only by using specific commands). > > > > As soon as a program is setuid it has to be written for the purpose > > of very reliably checking and limiting what it does on behalf of > > who, independently of how it can potentially be invoked "out of > > context". > > ACK. Any program going to be used with suid, or sgid has to be > designed for this. > > > This is known to be hard, I believe it is harder to do reliably than > > e.g. issue a request to a daemon - talking about the complexity > > level. > > Hard? A single getuid() call gives the user id of the calling user > (real user id), where the program runns with the priviledges of the > effective user (geteuid). So you can pick the real user id and check > this against a list of allowed users; same to getgid(). > > In addition: suid programs should set the owning group and permisions > carefully, e.g. fileuser:accessgroup owner=suid+x, group=x, > other=none; where the directories and files are owned by fileuser, > with permissions only to that user and nobody else. > > A simple mechanism giving you a shield protecting your data from > being tampered by any other users programs (except root), but still > all users which are a member of group accessgroup can use your > program, and access the data in the intended manner. > > > > Thus the setuid program is to be designed to be as small as > > possible, presumably leaving all non-checking functions to (a) > > different executable(s). > > True, for suid *root* programs, but otherwise I doubt. I see no such > need in e.g. the example above. > > > > Then the result becomes about as intricate as talking to a daemon, > > which can be run without any setuid. > > I never told talking to a daemon is of no use, but many suid usages > are possible without the daemon overhead, and still not risking > security violations. > > The big flaws are: > > a) setting suid for a program never designed for that use > > b) suid *root* (flaw by design) > > IMO the case b should be blocked by the kernel and replaced with a > more reliable reaction: > > Whenever the kernel detects a suid *root* program, it does not start > that program, but picks a configured path, for a statically linked > binary, with owner root, only executable by root, and no permissions > to others. That program shall be started by the kernel, giving the > path to the called program as first argument, then the remaining > arguments. > > This single *real suid root* program get than control (single point > of failure), and has to do the security relevant part (as you > mentioned above). Only when there is no doubt of usage, this single > program drops the privileges to the determined / required user, and > then exec to the intended program. > > In other words, any program marked suid root is automatically invoked > through a program like sudo, which does the security checking, before > invoking any other code ... but without need of manually reentering > that sudo command on every program invocation. > > This would be a very simple change in the kernel, giving a big step > to more security ... but still such things are missing :( Please *do not* touch setuid when it may save time and you from headcrash course when you appeared to lock yourself and your (embedded) device, for example. This already failed with selinux phones. Nobody is vulnerable when you don't have setuid executables or mounted nosuid. No need to change the kernel. Because someone does not care about your security does not mean that you should accept and inherit that. Audit your filesystem and remove all setuid bits from all programs, move/rename them as prog.real and place a shell script in place which will call setuid wrapper which then will setreuid(uid, 0) then execve(). FYI I already implemented such a scheme and program and quite happy with it and I always know which executable is setuid on my system. It even has a rules which control various objects of access. The *only* problem is that writing such a program is a big pain because your code will be searched often for security bugs. So I'm in doubts. > > > >> When used with care and as intended, suid and sgid is a nice > >> feature, but > > > > Unfortunately I can not really appreciate its beauty which appears > > to hide the complexity and/or move it to other parties (like the > > dynamic linker or the software maintenance infrastructure). Yes it > > "looks simple and efficient" but is it, really? > > Not talking about suid *root*, which difficulties do you see? It's > beauty lies in it's simplicity and efficiency, but it's danger in the > widely misunderstanding and unintended usage. > > > >> nowadays there are too many Unix novices, who misunderstand or > >> misuse this, punching big holes in every security concern. > > > > Unfortunately even seasoned gurus easily create / fail to notice > > holes! :( > > We are all humans and make mistakes, but a lot of those gurus forget > about this ... ok, they are gurus and no more humans ;) > > See above: suid to *not root* is ok, suid *root* is flaw by design :( > > Harald ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-02 17:26 ` Рысь @ 2015-04-02 18:16 ` Harald Becker 2015-04-03 4:40 ` Рысь 2015-04-02 18:36 ` u-wsnj 1 sibling, 1 reply; 19+ messages in thread From: Harald Becker @ 2015-04-02 18:16 UTC (permalink / raw) To: musl On 02.04.2015 19:26, Рысь wrote: > Please *do not* touch setuid when it may save time and you from > headcrash course when you appeared to lock yourself and your (embedded) > device, for example. This already failed with selinux phones. This was just a few theoretical words about that suid *root* problem: Even if anybody would add this to the Linux kernel, it would only affect suid *root* programs, and run them through a wrapper program, something like sudo. Any other suid, and sgid would not be affected > Nobody is vulnerable when you don't have setuid executables or mounted > nosuid. No need to change the kernel. Nobody talked about loosing the possibility to mount, etc. ... my suggestion would just work, as you start any such command with a sudo prefix and than let sudo decide if you are allowed to do the operation. Think of not enabling suid *root* mount for all user, but let a wrapper check if the user is allowed to do the operation, and if so, proceed to this as expected, let some others require to enter a password, and deny the rest (depending on what is configured for your system). > Because someone does not care about your security does not mean that > you should accept and inherit that. Audit your filesystem and remove all > setuid bits from all programs, move/rename them as prog.real and place > a shell script in place which will call setuid wrapper which then will > setreuid(uid, 0) then execve(). This is what I'm currently doing, on my systems: A small wrapper checks some things, and proceed to the called program afterwards. So I do have only one suid *root* program, except some system related stuff from a distro. Except that my suggestion would just run such a wrapper automatically for suid *root* programs, it can easily be disabled in the kernel (via a sysctl setting). So this would be an optional security approach, for those who like this wrapper idea. ... but: The discussion was, about the sense of suid, and I wanted to note, the difference between suid *root* and suid *any other user*. > FYI I already implemented such a scheme and program and quite happy with > it and I always know which executable is setuid on my system. It even > has a rules which control various objects of access. The *only* problem > is that writing such a program is a big pain because your code will be > searched often for security bugs. So I'm in doubts. And this is one of the reasons for my suggestion, all that would benefit from a central wrapper, which is able to do sanity checks and reject the most common caveats, e.g. letting suid *root* programs be writable by anybody else than root. This central wrapper would be more easy to inspect for security violations than every other program (more eyes on a single part = higher security). ... but this was all theoretical: How I would try to solve some of the known suid *root* problems. Harald ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-02 18:16 ` Harald Becker @ 2015-04-03 4:40 ` Рысь 2015-04-04 5:35 ` Harald Becker 0 siblings, 1 reply; 19+ messages in thread From: Рысь @ 2015-04-03 4:40 UTC (permalink / raw) To: musl On Thu, 02 Apr 2015 20:16:22 +0200 Harald Becker <ralda@gmx.de> wrote: > On 02.04.2015 19:26, Рысь wrote: > > Please *do not* touch setuid when it may save time and you from > > headcrash course when you appeared to lock yourself and your > > (embedded) device, for example. This already failed with selinux > > phones. > > This was just a few theoretical words about that suid *root* problem: > > Even if anybody would add this to the Linux kernel, it would only > affect suid *root* programs, and run them through a wrapper program, > something like sudo. Any other suid, and sgid would not be affected > Well and losing a maybe crufty, cheaty but *always* working mechanism which is expected to work on every Unix system. I think there is no such a problem as setuid problem, root or user, when it is properly handled. (Sorry if it's too ranty, but I already eaten by all this security dance on recent android phones) > > > Nobody is vulnerable when you don't have setuid executables or > > mounted nosuid. No need to change the kernel. > > Nobody talked about loosing the possibility to mount, etc. ... my > suggestion would just work, as you start any such command with a sudo > prefix and than let sudo decide if you are allowed to do the > operation. > > Think of not enabling suid *root* mount for all user, but let a > wrapper check if the user is allowed to do the operation, and if so, > proceed to this as expected, let some others require to enter a > password, and deny the rest (depending on what is configured for your > system). > I don't follow. I talked previous about disabling all setuids just by: mount -o remount,nosuid /some/mount in your rc.local, or adding (on sane systems) "nosuid" flag to fstab. Or just find / -xdev -perm -4000 -exec ls -l '{}' ';' and select which you want to disable. (and same with -2000 for setgids) And yes, for other part about wrapper, this already works, but without any requirement to patch the kernel or making this patch mandatory. The wrapper even setups sane environment, overwrites argv0 when needed and programs not tied to /proc/self/exe checks or similar just work as expected. > > > Because someone does not care about your security does not mean that > > you should accept and inherit that. Audit your filesystem and > > remove all setuid bits from all programs, move/rename them as > > prog.real and place a shell script in place which will call setuid > > wrapper which then will setreuid(uid, 0) then execve(). > > This is what I'm currently doing, on my systems: A small wrapper > checks some things, and proceed to the called program afterwards. So > I do have only one suid *root* program, except some system related > stuff from a distro. > > Except that my suggestion would just run such a wrapper automatically > for suid *root* programs, it can easily be disabled in the kernel > (via a sysctl setting). So this would be an optional security > approach, for those who like this wrapper idea. How about porting to other systems? There are ones with hardwired assumptions about setuid all over their userspace source code. Of course they maybe changed, but it will take *much* longer time than just disable all setuids on average Linux system and forward them through wrapper. > > ... but: > > The discussion was, about the sense of suid, and I wanted to note, > the difference between suid *root* and suid *any other user*. > setuid other user can be as same evil as setuid root. > > > FYI I already implemented such a scheme and program and quite happy > > with it and I always know which executable is setuid on my system. > > It even has a rules which control various objects of access. The > > *only* problem is that writing such a program is a big pain because > > your code will be searched often for security bugs. So I'm in > > doubts. > > And this is one of the reasons for my suggestion, all that would > benefit from a central wrapper, which is able to do sanity checks and > reject the most common caveats, e.g. letting suid *root* programs be > writable by anybody else than root. This central wrapper would be > more easy to inspect for security violations than every other program > (more eyes on a single part = higher security). Maybe. I still not sure about it. > > ... but this was all theoretical: How I would try to solve some of > the known suid *root* problems. > > Harald > Well apart of modifying kernel for no reason this are good ideas if a wrapper is simple enough to review. But more things evolve you need to care about for programs then more you need code to add and more potential bugs. But maybe it's just my impression because I did spent a year developing one alone. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-03 4:40 ` Рысь @ 2015-04-04 5:35 ` Harald Becker 0 siblings, 0 replies; 19+ messages in thread From: Harald Becker @ 2015-04-04 5:35 UTC (permalink / raw) To: musl Hi, I don't want to follow this discussion into deep. It was a pure theoretical suggestion, and I don't think anybody is going to change something on this. ... but please read complete, you did something misunderstand: On 03.04.2015 06:40, Рысь wrote: >> Even if anybody would add this to the Linux kernel, it would only >> affect suid *root* programs, and run them through a wrapper program, >> something like sudo. Any other suid, and sgid would not be affected > > Well and losing a maybe crufty, cheaty but *always* working mechanism > which is expected to work on every Unix system. I think there is no > such a problem as setuid problem, root or user, when it is properly > handled. And what about, the kernel does this only, when a wrapper is configured (e.g by a sysctl like hotplug handler)? If you do not write anything to the sysctl variable you get the plain old suid *root* operation, but when the name of a wrapper program has been written to the sysctl variable *and* this program is not writable by any other than root, it does run through the wrapper ... *and* (in addition) when you write a "locked" to the sysctl variable, this feature can get locked in it's current state and no one may do further changes to this setting until kernel restart (for those who fear). ... let you get all you like, without hitting anyone staying on current behavior. > (Sorry if it's too ranty, but I already eaten by all this security dance > on recent android phones) I hate overdone security too. Beside being theoretical, my intention was an "optional" feature for those who like. > I don't follow. I talked previous about disabling all setuids just by: > mount -o remount,nosuid /some/mount This is something completely different, in no way affected by my intention ... but disables all suid usage, also suid to *none root*. > And yes, for other part about wrapper, this already works, but without > any requirement to patch the kernel or making this patch mandatory. ... but then you need to call the wrapper explicitly for each command, or replacing the command with a script calling the wrapper, loosing the possibility to block unintended suid *root* usage. > How about porting to other systems? There are ones with hardwired > assumptions about setuid all over their userspace source code. Of > course they maybe changed, but it will take *much* longer time than > just disable all setuids on average Linux system and forward them > through wrapper. a) differentiate between suid *root* and *suid none root* (the later won't get effected ever) b) my intention was an optional feature, for those who like, but it will only work with some slight help of the kernel, not affecting anybody who does not activate this > setuid other user can be as same evil as setuid root. When misdone, yes! Don't use it if you don't like it. > Well apart of modifying kernel for no reason this are good ideas if a > wrapper is simple enough to review. But more things evolve you need to > care about for programs then more you need code to add and more > potential bugs. But maybe it's just my impression because I did spent a > year developing one alone. When we talk here about a wrapper, please think of something like sudo, which is configurable, so any new program mean adding this program to the configuration, not more code to write. ... and the intended wrapper feature will only work with a little help of the kernel (else there is no increased security): Currently it does (rough): if program to exec is not suid exec the program with args else save real user id switch effective user id to the owner of the program exec the program with args My intention would be: if program to exec is not suid exec the program with args else save real user id switch effective user id to the owner of the program if program owner is root and wrapper program configured exec wrapper with name of program plus args else exec the program with args Where the wrapper does the security checking then exec to program with args, but may reject invocation before any code of the given program is executed. This was my suggestion. How would that hit anybody in any way, who does not write a wrapper name to the sysctl variable? Harald ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-02 17:26 ` Рысь 2015-04-02 18:16 ` Harald Becker @ 2015-04-02 18:36 ` u-wsnj 2015-04-03 4:51 ` Рысь 1 sibling, 1 reply; 19+ messages in thread From: u-wsnj @ 2015-04-02 18:36 UTC (permalink / raw) To: musl On Fri, Apr 03, 2015 at 12:26:56AM +0700, Рысь wrote: [Harald Becker wrote] > > This would be a very simple change in the kernel, giving a big step > > to more security ... but still such things are missing :( [answering to Harald Becker] Credentials handling in the kernel is a result of a very long evolution and efforts for making the behaviour both relatively consistent and conforming to its documented standard definition. If you believe that such a change can be simple and easily contained in scope, you fall for wishful thinking. Unix is monolithic by design, it is extremely hard to improve without throwing out its design or otherwise hitting lots of issues in very different places where you inadvertently would break someone else's assumptions. Linux did not throw out the design and thus had to preserve lots of problems and limitations, for a reason. On Fri, Apr 03, 2015 at 12:26:56AM +0700, Рысь wrote: > Audit your filesystem and remove all > setuid bits from all programs, move/rename them as prog.real and place > a shell script in place which will call setuid wrapper which then will > setreuid(uid, 0) then execve(). This way you are still exposed to setuid and also still depend on how the prog.real is going to use the supplied credentials. You more or less have to reimplement in your wrapper the checks expected "to be already present" in the program, without any control over its internals. This can certainly improve the situation if you are (which presumably is the case) more security-oriented and thoughtful than the upstream developer, but you are in an uphill battle. For me this does not look like a solution, rather like a patchwork which may or may not be effective. Rune ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-02 18:36 ` u-wsnj @ 2015-04-03 4:51 ` Рысь 2015-04-03 10:31 ` [OT] setuid (Re: Busybox on musl is affected by CVE-2015-1817) u-wsnj 0 siblings, 1 reply; 19+ messages in thread From: Рысь @ 2015-04-03 4:51 UTC (permalink / raw) To: musl On Thu, 2 Apr 2015 20:36:27 +0200 u-wsnj@aetey.se wrote: > On Fri, Apr 03, 2015 at 12:26:56AM +0700, Рысь wrote: > > Audit your filesystem and remove all > > setuid bits from all programs, move/rename them as prog.real and > > place a shell script in place which will call setuid wrapper which > > then will setreuid(uid, 0) then execve(). > > This way you are still exposed to setuid and also still depend on how > the prog.real is going to use the supplied credentials. You more or > less have to reimplement in your wrapper the checks expected "to be > already present" in the program, without any control over its > internals. If talking about ping issue then yes, ping and other such programs must not even start to process user input when not sure. You've got setuid -- quickly drop it when needed privileged resource is obtained. Tools just need to be fixed, without surrounding scream and initiating another security dances which usually only hurt. Instead of wrapper there maybe limiting group which members can run program, but Unix credentials were always somewhat limited and at some point you understand that without certain things like ACLs or sudo you can't effectively partition privileges. > > This can certainly improve the situation if you are (which presumably > is the case) more security-oriented and thoughtful than the upstream > developer, but you are in an uphill battle. > > For me this does not look like a solution, rather like a patchwork > which may or may not be effective. > > Rune > ^ permalink raw reply [flat|nested] 19+ messages in thread
* [OT] setuid (Re: Busybox on musl is affected by CVE-2015-1817) 2015-04-03 4:51 ` Рысь @ 2015-04-03 10:31 ` u-wsnj 0 siblings, 0 replies; 19+ messages in thread From: u-wsnj @ 2015-04-03 10:31 UTC (permalink / raw) To: musl On Fri, Apr 03, 2015 at 11:51:58AM +0700, Рысь wrote: > Unix credentials were always somewhat limited Exactly. Set*id was created to complement the poor authorization means in the kernel (acls limited to three permissions and crippled to exactly three group-like entries with restricted semantics, for implementation efficiency reasons). It (set*id) is a very powerful, general and wide reaching tool intended in contrast for special and varying situations which need specific treatment, that's why it needs extreme skills and care at every use. This does not scale. Rune ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-01 8:49 ` u-wsnj 2015-04-02 13:56 ` Harald Becker @ 2015-04-02 15:38 ` Rich Felker 2015-04-02 18:02 ` u-wsnj 1 sibling, 1 reply; 19+ messages in thread From: Rich Felker @ 2015-04-02 15:38 UTC (permalink / raw) To: musl, busybox On Wed, Apr 01, 2015 at 10:49:40AM +0200, u-wsnj@aetey.se wrote: > Hi Harald, > > On Wed, Apr 01, 2015 at 10:11:51AM +0200, Harald Becker wrote: > > There is a big difference if you talk about suid > > *root* programs or other suid usage. > > > > The former is definitely very dangerous and should be used with extreme care > > (I think this is the case we are talking about), the later use may even be > > used to drop privileges (not to raise), or to temporarily hop to the > > You are right about a remarkable difference between suid root and suid > somethingelse, just because root has the very special role in Unix. The difference is there but it's not as remarkable as you think. As soon as you can get control of uid==suid_target_uid, you can do nasty things as that user like modifying the binary that's suid to that user, so that the next user who invokes it invokes malicious code. suid is pretty much across-the-board evil. > Besides root vs non-root I doubt there is any clear line between "raising" > and "dropping" privileges, you replace one set of allowed operations by > a different one, that's it. Note that root does not need suid to drop > its privileges. "Dropping" privileges in the sense of suid just means setting the effective and saved uids for the process to the real (invoking, returned by getuid()) uid. > > privileges of a different user (may be allowing access to some files only by > > using specific commands). > > As soon as a program is setuid it has to be written for the purpose > of very reliably checking and limiting what it does on behalf of who, > independently of how it can potentially be invoked "out of context". > This is known to be hard, I believe it is harder to do reliably than > e.g. issue a request to a daemon - talking about the complexity level. Yes. Said differently, the difference is a huge and perpetually expanding attack surface (all process state inheritable across exec) versus a tiny attack surface (one unix socket). Please don't misinterpret this -- I'm not saying that busybox should be implementing a "ping daemon". Rather we should be using the functionality the kernel gave us for avoiding suid (SOCK_DGRAM ICMP) when it's available and making it possible for users to get a fully functional busybox without the need for suid. > > When used with care and as intended, suid and sgid is a nice feature, but > > Unfortunately I can not really appreciate its beauty which appears to hide > the complexity and/or move it to other parties (like the dynamic linker > or the software maintenance infrastructure). Yes it "looks simple and > efficient" but is it, really? It's not. > > nowadays there are too many Unix novices, who misunderstand or misuse this, > > punching big holes in every security concern. > > Unfortunately even seasoned gurus easily create / fail to notice holes! > :( I'd much rather eliminate the opportunity for the hole from the start. Rich ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Re: Busybox on musl is affected by CVE-2015-1817 2015-04-02 15:38 ` Re: Busybox on musl is affected by CVE-2015-1817 Rich Felker @ 2015-04-02 18:02 ` u-wsnj 0 siblings, 0 replies; 19+ messages in thread From: u-wsnj @ 2015-04-02 18:02 UTC (permalink / raw) To: musl; +Cc: busybox On Thu, Apr 02, 2015 at 11:38:25AM -0400, Rich Felker wrote: > > Unfortunately I can not really appreciate its beauty which appears to hide > > the complexity and/or move it to other parties (like the dynamic linker > > or the software maintenance infrastructure). Yes it "looks simple and > > efficient" but is it, really? > > It's not. This was intended to be a rhetorical question but a clear statement surely does not hurt. > > Unfortunately even seasoned gurus easily create / fail to notice holes! > > :( > > I'd much rather eliminate the opportunity for the hole from the start. Exactly. Honestly this is what I meant. Rune ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2015-04-04 5:35 UTC | newest] Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-03-30 5:31 Busybox on musl is affected by CVE-2015-1817 Rich Felker 2015-03-31 19:07 ` Denys Vlasenko 2015-03-31 23:11 ` Justin Cormack 2015-03-31 23:51 ` Rich Felker 2015-03-31 23:48 ` Rich Felker 2015-04-01 7:41 ` u-wsnj 2015-04-01 7:52 ` Raphael Cohn 2015-04-01 8:11 ` Harald Becker 2015-04-01 8:49 ` u-wsnj 2015-04-02 13:56 ` Harald Becker 2015-04-02 17:26 ` Рысь 2015-04-02 18:16 ` Harald Becker 2015-04-03 4:40 ` Рысь 2015-04-04 5:35 ` Harald Becker 2015-04-02 18:36 ` u-wsnj 2015-04-03 4:51 ` Рысь 2015-04-03 10:31 ` [OT] setuid (Re: Busybox on musl is affected by CVE-2015-1817) u-wsnj 2015-04-02 15:38 ` Re: Busybox on musl is affected by CVE-2015-1817 Rich Felker 2015-04-02 18:02 ` u-wsnj
Code repositories for project(s) associated with this public inbox https://git.vuxu.org/mirror/musl/ This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).