[ubuntu-hardened] Removing suid root from binaries where it isn't needed

Wed Oct 31 02:45:57 GMT 2007

On 10/30/07 6:04 PM, "Jeff Schroeder" <jeffschroed at gmail.com> wrote:

> On 10/30/07, Chad Sellers <chad at thesellers.net> wrote:
>> The good news here is that SELinux has already ran into a lot of
>> these cases over the last few years, and a lot of the changes have
>> made it into upstream packages. So at least the set of programs that
>> behave as such has gotten smaller.
> The only things that SELinux has gotten upstream sans SELinux specific
> patches are patches to support EA (Extended Attributes) in many
> utilities that would remove them before like tar or whatnot.
> 
That's not true. SELinux has uncovered several security (excessive privilege
required, hard-coded DAC assumptions, etc.) issues with other packages.
These were frequently allowed in SELinux policy to begin with, subsequently
patched in Fedora, and eventually merged upstream. While its true that these
patches were generally not written by the SELinux developers, SELinux
developers served as the testers to uncover the bugs.

>> I'm only a bit familiar with Serge's patch. I'm pretty sure it
>> requires a filesystem that supports extended attributes. You may run
>> into problems (particularly on the LiveCD) because of this.
> Very good point this functionality does require a filesystem that
> support EA like ext3. What does the livecd use? Cramfs? Squashfs?
> There is some sort of infrastructure to deal with differences in how
> the livecd is built. I think it is called casper, but can't rememeber
> right now. This is an important issue to address.
> 
I'm not overly familiar with the livecd, but I believe it uses at least
unionfs with squashfs (among others). This is based on the bug that caused
apparmor to be removed from the livecd due to its problems handling unionfs.

> The other important one is implementation. How would we implement this
> on installed systems? The best way I can think of is via a postinstall
> hook or apt trigger that runs the command to give it the proper
> capabilities and strip suid root. I've done tons of rpm
> packagebuilding and still very little debian packaging. Maybe someone
> with more knowledge in this area should look at our options.