[ubuntu-hardened] Removing suid root from binaries where it isn't needed
Chad Sellers
chad at thesellers.net
Tue Oct 30 21:30:55 GMT 2007
On Oct 30, 2007, at 3:11 PM, gaten wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This list actually lives, I'm happily surprised.
>
> Jeff Schroeder wrote:
>> Serge Hallyn's recent implement-file-system-posix-capabilities.patch
>> finally got the buyoff from Andrew Morton and is going to be going
>> into the as of yet unreleased 2.6.24 kernel. However, since Hardy
>> will
>> very likely be using the 2.6.24 kernel, maybe we can look at what
>> this
>> specific feature buys us.
>> ...
>> This might require some work for stupid userspace code that does
>> something like:
>> if (EUID != 0)
>> die_a_miserable_death_and_say_you_only_run_as_root();
>>
>> This might mean that Ubuntu carries Ubuntu-specific patches to check
>>
> It would be great if we could forgo any "Ubuntu specific" patches,
> but I
> understand that might not be possible.
>
The good news here is that SELinux has already ran into a lot of
these cases over the last few years, and a lot of the changes have
made it into upstream packages. So at least the set of programs that
behave as such has gotten smaller.
>> For a full list of all available capabilities, this should do:
>> awk '/^#define/{if ($2 ~ "CAP_") print $2}' /usr/include/linux/
>> capability.h
>> And then look at the man page capabilities(7) for more information on
>> what they each are.
>>
>> Does anyone else think this is a good idea to investigate removing
>> suid root from *some* of these binaries where it doesn't break
>> anything? It seems like a win win to me. The only thing different is
>> that this would need to be prominently displayed somewhere in the
>> server docs and the fscaps tools would need to be packaged + the MIR.
>>
>
> God yes. SUID has always been a problem (or at least an attack
> vector),
> and I for one can see no reason NOT to do this, as long as we aren't
> breaking a million other things in the process.
I'm only a bit familiar with Serge's patch. I'm pretty sure it
requires a filesystem that supports extended attributes. You may run
into problems (particularly on the LiveCD) because of this.
Chad Sellers
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFHJ4H0A+UZbCImQKQRAucdAJ9IjVYbuBmP4uSseTtKbInDR4OdagCfbrBE
> QXr1Y9GuQ+yp/3uKI3BCUKk=
> =DIRo
> -----END PGP SIGNATURE-----
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
More information about the ubuntu-hardened
mailing list