Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756142AbbKFSGB (ORCPT <rfc822;w@1wt.eu>);
	Fri, 6 Nov 2015 13:06:01 -0500
Received: from h2.hallyn.com ([78.46.35.8]:56952 "EHLO h2.hallyn.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751046AbbKFSGA (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 6 Nov 2015 13:06:00 -0500
Date: Fri, 6 Nov 2015 12:05:58 -0600
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: "Theodore Ts'o" <tytso@mit.edu>, Klaus Ethgen <Klaus+lkml@ethgen.de>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Richard Weinberger <richard.weinberger@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>, Christoph Lameter <cl@linux.com>,
        Andy Lutomirski <luto@kernel.org>,
        Serge Hallyn <serge.hallyn@ubuntu.com>,
        Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re:
 Kernel 4.3 breaks security in systems using capabilities
Message-ID: <20151106180558.GA16749@mail.hallyn.com>
References: <20151105101953.GA15293@ikki.ethgen.ch>
 <20151105161512.GA2180@mail.hallyn.com>
 <20151105171701.GB9307@ikki.ethgen.ch>
 <20151105173438.GA3378@mail.hallyn.com>
 <20151105174823.GD9307@ikki.ethgen.ch>
 <CALCETrW1_kDzw9Bwgc7+sCJF--CSbHVt6f=E2vm3kt_vpK0ahw@mail.gmail.com>
 <20151105220843.GA6027@mail.hallyn.com>
 <20151106135835.GB11901@ikki.ethgen.ch>
 <20151106155303.GB6160@thunk.org>
 <563CE893.1060309@schaufler-ca.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <563CE893.1060309@schaufler-ca.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2970
Lines: 60

On Fri, Nov 06, 2015 at 09:51:15AM -0800, Casey Schaufler wrote:
> On 11/6/2015 7:53 AM, Theodore Ts'o wrote:
> > On Fri, Nov 06, 2015 at 02:58:36PM +0100, Klaus Ethgen wrote:
> >> But that left out completely the, I think more important, usecase of
> >> _removing_ SUID completely and _replacing_ it with very tight capability
> >> setting. And that is what I always talked about.
> > I don't believe this is ever going to be possible.  And I'm not
> > talking about it from a technical perspective, but from a practical
> > and cultural perspective.
> 
> There have been rootless systems (e.g. Trusted Irix) in the past.
> They sold to a very restricted market and were never widely adopted.
> The inevitable first question from the admins was
> 
> 	"How do I get *real* root?"

Ok, but there's a difference between not supporting a real root login
at all, and having most or all regular system services working without
it.

ffs, ping is still often setuid-root.

> I agree that culturally it's a hard sell. Once someone gets a taste
> for privilege it's tough to get them to give it up. It's a major
> problem even in embedded systems, where people are still doing development
> in a root shell.
> 
> I was on the POSIX group that defined capabilities. I hate to
> say it, but the evidence is that we failed. We've had capabilities
> in the kernel for how long? If we haven't been able to make the
> transition away from root by now, maybe it's time to reexamine the

Several times we've discussed why - for instance after Ted's indicting
LSS keynote.  There have been some very pedestrian reasons why.  The two
sadest but also hardest to overcome ones were lack of xattr support in
some filesystems, and in some packaging systems.  The fact that, as a
distro, you have to support use of packages without support for xattrs
means you always have to still add the setuid bit, and if you have to do
that, it's really better to *only* but cleanly support setuid.

And so ping is setuid-root.

And we've actually made things worse for now, because you cannot write
xattrs froma user namespace.  So many default containers, again, cannot
use file capabilities unless the host admin installs the packages.  (I
do plan to write  patch to fix that, but hasn't been done that)

The other problem is imo there needs to be a better support system for
projects which want to switch.  That's why I'm really thinking we
should have a mailing list dedicated to helping projects properly
design their use of capabilities (or nnp or setresuid, probably)

Another possible reason would be that it is not portable.  If that's
holding people back, then that feels like a reason to just replace the
whole shebang with something like capsicum.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/