Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1162253AbbKERXE (ORCPT ); Thu, 5 Nov 2015 12:23:04 -0500 Received: from tschil.ethgen.ch ([5.9.7.51]:46519 "EHLO tschil.ethgen.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1161984AbbKERXD (ORCPT ); Thu, 5 Nov 2015 12:23:03 -0500 Date: Thu, 5 Nov 2015 18:22:59 +0100 From: Klaus Ethgen To: Andy Lutomirski Cc: Linus Torvalds , Richard Weinberger , LKML , Christoph Lameter , Andy Lutomirski , Serge Hallyn , Kees Cook , Andrew Morton Subject: Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: Kernel 4.3 breaks security in systems using capabilities Message-ID: <20151105172259.GC9307@ikki.ethgen.ch> References: <20151102191616.GA2158@ikki.ethgen.ch> <20151105101953.GA15293@ikki.ethgen.ch> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; x-action=pgp-signed In-Reply-To: OpenPGP: id=79D0B06F4E20AF1C; url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2732 Lines: 65 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, Am Do den 5. Nov 2015 um 17:19 schrieb Andy Lutomirski: > > With the present way, that was no problem (for OSS). You take away the > > SUID, set the capabilities and if the tool complains about not being > > root, look into the code and remove that stupid thing. With ambient > > capabilities, no one will see that the tool is doing such stupid thing > > as setting all capabilities unless some trouble is seen. > > SUID is, always has been, and always will be a minefield. People > writing SUID programs need to do it right. When the kernel adds a new > API, doing it right includes not adding a buggy call to the API. Thats right. But real world is not optimal. > The ambient capability code explicitly zeros pA when running a SUID > binary to avoid problems in which a SUID binary has unexpected ambient > capabilities. That is not the point. I do not talk about combining SUID and capabilities. I even seen that it was implemented that way. I talk about taking away rights from tools that don't need it. > IMO the right long term solution is to just stop using SUID and to > stop using any other mechanism that grants new privileges of any sort > when execve is called. Right. That is my intention. > When you can boot a distro with no_new_privs > set everywhere (including init) and everything works, then I'll think > we've made considerable progress. That might be a longer way to go. I also don't think it it fully doable. You do always need some applications having special rights. But I like to pick exactly that rights instead using sudo or SUID. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJWO5BzAAoJEKZ8CrGAGfas948L/jde8spo8N+vo+jqVSjRNIsV M1gHTJ4cahDvKhlK6z2a/5kQSINWP94Ir4LSNh+Qyvvq1ZIDBvVWIgadf4zf7TEf QfbgKFcdbJaXhWKjdgIaT8LTjRzvyqHGD9F8hoSAYI+zvjOJP3FpXi+1u4QNVcO6 ZiV1Ss+8hUGy44Y2If0yMwYe/Z88elqMOPGHJhqeq44unWG0ZFek5R2xOg2g9qed MMSz49BLarg0TI9tMO7uwkMXfmhKDh3L0Tdwr6xANwPuaBe5qnFVpQpJ/T/AESv7 uTtzDEjJwN9ZBZra8Zc/Xp02ELoMigAtEWprkl78dEmtKUJnej3MP9xivc6EtKAK zKunFCmltjwVAtwdggBN+XuJofqltFt0FZpyfX3AwjNrW5ltkXbA/tNL0zoQalqX +NoFmdEWdi5PcMdxKNoZp7jwrSYG7UN8KDe7ZsSGqrV6iH+pd1KWNog8LOdU3t+W IfbKdHqVQkIKyYz2R9Dd/o2XnUYpymE75SsZu+6Yhw== =ffr7 -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/