Some more thoughts about linux computer security

Jeff Silverman jeffsilverm at gmail.com
Fri Jan 23 06:05:39 UTC 2009 

Mario Vukelic <mario.vukelic at dantian.org> wrote:

> On Thu, 2009-01-22 at 09:37 -0500, Brian McKee wrote:
>   
>> > If you install software from the repositories, you used root
>> > privileges to do so.  Therefore, the program you installed now can run
>> > as root whenever it wants to.
>>     
>
> This is not true. Usually the program will run with the privileges of
> the user that starts it. The programs that run with root privileges are
> very rare, despite all packages being installed by APT (in a standard
> Ubuntu system).
>
> Some binaries might be installed with the "setuid bit" set to another
> user and will therefore run with this user's privileges. Sometimes this
> might be "setuid root", but software from the repos will usually only do
> this is if the program is well-behaved, i.e., drops root privileges as
> soon as possible. 
>
> http://en.wikipedia.org/wiki/Setuid
>
>   
>> >   Simple example, there's nothing
>> > stopping someone from writing a program that runs SUID.  
>>     
>
> True, because it is not about the "writing" at all.  The only important
> thing is the setuid (or setgid) bit, which is set on the binary and can
> be changed by the admin (or is set by the package manager on the admin's
> behalf, who has in practice authorized the package manager to do so by
> running it with root rights)
>
>   
>> > Another
>> > example, it could simply add a new user to the system with UID 0 (i.e.
>> > root) and then set up software to run as that user.  
>>     
>
> Dunno what this has got to  do with anything (usernames are always just
> for humans, only the UID has any real meaning)
>
>   
>> >  Once you give it
>> > root ONCE, it can hang on to it.
>>     
>
> Once it is root it can do practically anything, yes.
>
> <snipped the rest because of agreement>
>
>
>
>   
I am thinking of two examples that I know of of programs that are SUID 
root: sshd and sendmail.  There are others.  If somebody broke into the 
repository and modified the source code or the binaries or both of these 
programs, then they would own the boxes that the software is installed 
on.  Sendmail has to have root privileges to deliver the mail or to 
invoke an agent to deliver the mail for it.  sshd has to have root 
privileges to fork a login shell in the context of a user account.  
These programs are "trusted" programs.  The definition of "trusted" is 
"Any system that has the ability to hurt you if it misbehaves".

Since synaptic and other package managers can update sshd and sendmail 
and install software in system file trees (/usr, /sbin /etc, etc.), 
those package managers must run with root privileges.  Which means that 
anything that thinks it needs SUID root to run, will get SUID root when 
it is installed.  The package manager will install it that way.  It is 
unreasonable to expect computer users to know which programs need to be 
SUID and which do not, so we have to trust the package manager and the 
people who create the packages to do the right thing.  Insofar as I 
know, this system has always worked (with the exception of the Red Hat 
repository break in - and don't go holier than thou on me, because that 
could have happened to Debian or Ubuntu).

There are a lot of people on this list who don't know much about 
computers but who like Ubuntu.  If you have been following this 
argument, then please understand that you really don't need to know the 
arcane details about what we're talking about, or at least, you 
shouldn't have to.  The Ubuntu developers made a decision a long time 
ago that programs would execute with minimum privilege whenever 
possible, and if a program needed more privilege, it would ask you - 
that's why you have to type in your own password when running the 
synaptic package manager and various other programs that need the 
privileges.  It is the best known solution to the problem of granting 
privileged access to your computer under very limited conditions.  It is 
vastly superior to what is done in the Windows world, which is one of 
the reasons why viruses are a problem in that world, and why viruses 
generally are not a problem in the linux world.


Jeff

-- 
Jeff Silverman
Linux sysadmin
To get my addresses:
perl -wlpe  'y/a-zA-Z/n-za-mN-ZA-M/' << EOF
924 20gu NIR R
Frnggyr, JN, 98112
wrssfvyirez at tznvy.pbz
EOF

More information about the ubuntu-users mailing list