Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752046AbbKJUkA (ORCPT ); Tue, 10 Nov 2015 15:40:00 -0500 Received: from mail-io0-f173.google.com ([209.85.223.173]:36121 "EHLO mail-io0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751535AbbKJUj6 (ORCPT ); Tue, 10 Nov 2015 15:39:58 -0500 Subject: Re: [KERNEL] Re: [KERNEL] [PATCH] Kernel 4.3 breaks security in systems using capabilities To: "Theodore Ts'o" , Andy Lutomirski , Serge Hallyn , Kees Cook , Christoph Lameter , "Serge E. Hallyn" , Andrew Morton , Richard Weinberger , LKML , Linus Torvalds References: <20151107110246.GA7230@ikki.ethgen.ch> <5640C999.5050807@gmail.com> <20151109172340.GF3714@ikki.ethgen.ch> <5640EDB4.70407@gmail.com> <20151109212937.GA17624@ikki.ethgen.ch> <20151110115526.GA2958@ikki.ethgen.ch> <20151110124043.GC3717@thunk.org> <20151110131907.GB2958@ikki.ethgen.ch> <5641F2B7.9050408@gmail.com> <20151110175849.GB26726@ikki.ethgen.ch> From: Austin S Hemmelgarn Message-ID: <56425618.6060703@gmail.com> Date: Tue, 10 Nov 2015 15:39:52 -0500 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <20151110175849.GB26726@ikki.ethgen.ch> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms070503000101020509070609" X-Antivirus: avast! (VPS 151110-0, 2015-11-10), Outbound message X-Antivirus-Status: Clean Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 9009 Lines: 168 This is a cryptographically signed message in MIME format. --------------ms070503000101020509070609 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable On 2015-11-10 12:58, Klaus Ethgen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Am Di den 10. Nov 2015 um 14:35 schrieb Austin S Hemmelgarn: >> On 2015-11-10 08:19, Klaus Ethgen wrote: >>> Hi Ted, hy others in this discussion, >>> >>> Am Di den 10. Nov 2015 um 13:40 schrieb Theodore Ts'o: >>>> Whether or not that will be acceptable upstream, I don't know, mainl= y >>>> because I think a strong case can be made that such a patch has an >>>> audience of one, and adding more complexity here for an idea which h= as >>>> been time-tested over decades to be a failure is just not a good ide= a. >>> >>> I wouldn't tell the implementation until now to be a failure. It help= ed >>> a lot to keep a system sane. It is true that all distributions ignore= d >>> capabilities completely but I don't think that is due the design. >> I think it's mostly due to the fact that there are a lot of potential >> security issues in using capabilities as implemented in Linux (and oth= er >> POSIX systems), > > Well, of course. If you give a process capabilities, it can use it. Tha= t > is in the nature of the problem. But in comparison to SUID, it is > selective rights. That makes it much more troublesome to exploit. Why > the hell is, for example, ping installed SUID root? There is only one > privileged right that is needed instead of all or nothing. FWIW, on Hardened Gentoo, ping is installed without the SUID bit set,=20 and has the appropriate fscaps attribute to give it CAP_NET_RAW. Sadly,=20 that's about the only tool that is set to use capabilities (the only=20 other one I know of is arping). Ping is however very purpose specific=20 and short of someone re-writing the binary, there really isn't much that = could be done to use it for privilege escalation. OTOH even when you use = capabilities, it's pretty easy for someone with a little shell scripting = knowledge to preform a DOS attack on a network just using ping. > >> and unlike chroot(), it's not as easy to protect against stuff trying >> to bypass them while still keeping them useful. > > It is the same, you have to be aware of the problem and need to mitigat= e > it. > > chroot addresses different thinks than capabilities. And also chroot is= > exploitable and you can break out in some cases. You have to do it > right... Again, this depends, there really isn't any way to make it impossible to = break out of a chroot without significant changes to the kernel, even=20 when using stuff like namespaces. > >> If you do a web search you can relatively easily find info on how to >> use many of the defined capabilities to get root-equivalent access >> (CAP_SYS_ADMIN and CAP_SYS_MODULE are obvious, but many of the others >> can be used also if you know what you are doing, for example >> CAP_DAC_OVERRIDE+CAP_SYS_BOOT can be used on non-SecureBoot systems to= >> force the system to reboot into an arbitrary kernel). > > Well, that is like it should be. If you give an exploitable application= > rights that it should not have, it can get exploited. But this decision= > is in the responsibility of the admin. The big problem here is stuff like CAP_SYS_ADMIN and CAP_NET_ADMIN,=20 which group together a bunch of things that are only loosely related.=20 For example, both CAP_NET_ADMIN and CAP_NET_RAW include the ability to=20 bind to non-local addresses, but none of the stuff that I've ever seen=20 that uses CAP_NET_RAW instead of running as root uses that at all.=20 CAP_SYS_ADMIN includes a list of 24 different things that it allows,=20 many of which are themselves lists of other operations. I'll try and dig up one of the better articles on this and post a link,=20 essentially, there are about a dozen capabilities that can be exploited=20 pretty easily to get root-equivalent access. > > With ambient capabilities, you transfer that responsibilities to all th= e > different developers that once in a while wrote a SUID tool (or tool > with raised capabilities). So, tell me, where does the ambient > capabilities raise the security? Unless you're personally auditing every single piece of code being run=20 on your system, you are inherently trusting the developers anyway. --------------ms070503000101020509070609 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC Brgwgga0MIIEnKADAgECAgMRLfgwDQYJKoZIhvcNAQENBQAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNp Z25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcN MTUwOTIxMTEzNTEzWhcNMTYwMzE5MTEzNTEzWjBjMRgwFgYDVQQDEw9DQWNlcnQgV29UIFVz ZXIxIzAhBgkqhkiG9w0BCQEWFGFoZmVycm9pbjdAZ21haWwuY29tMSIwIAYJKoZIhvcNAQkB FhNhaGVtbWVsZ0BvaGlvZ3QuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA nQ/81tq0QBQi5w316VsVNfjg6kVVIMx760TuwA1MUaNQgQ3NyUl+UyFtjhpkNwwChjgAqfGd LIMTHAdObcwGfzO5uI2o1a8MHVQna8FRsU3QGouysIOGQlX8jFYXMKPEdnlt0GoQcd+BtESr pivbGWUEkPs1CwM6WOrs+09bAJP3qzKIr0VxervFrzrC5Dg9Rf18r9WXHElBuWHg4GYHNJ2V Ab8iKc10h44FnqxZK8RDN8ts/xX93i9bIBmHnFfyNRfiOUtNVeynJbf6kVtdHP+CRBkXCNRZ qyQT7gbTGD24P92PS2UTmDfplSBcWcTn65o3xWfesbf02jF6PL3BCrVnDRI4RgYxG3zFBJuG qvMoEODLhHKSXPAyQhwZINigZNdw5G1NqjXqUw+lIqdQvoPijK9J3eijiakh9u2bjWOMaleI SMRR6XsdM2O5qun1dqOrCgRkM0XSNtBQ2JjY7CycIx+qifJWsRaYWZz0aQU4ZrtAI7gVhO9h pyNaAGjvm7PdjEBiXq57e4QcgpwzvNlv8pG1c/hnt0msfDWNJtl3b6elhQ2Pz4w/QnWifZ8E BrFEmjeeJa2dqjE3giPVWrsH+lOvQQONsYJOuVb8b0zao4vrWeGmW2q2e3pdv0Axzm/60cJQ haZUv8+JdX9ZzqxOm5w5eUQSclt84u+D+hsCAwEAAaOCAVkwggFVMAwGA1UdEwEB/wQCMAAw VgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBo ZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBABgNV HSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy dC5vcmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5j cmwwNAYDVR0RBC0wK4EUYWhmZXJyb2luN0BnbWFpbC5jb22BE2FoZW1tZWxnQG9oaW9ndC5j b20wDQYJKoZIhvcNAQENBQADggIBADMnxtSLiIunh/TQcjnRdf63yf2D8jMtYUm4yDoCF++J jCXbPQBGrpCEHztlNSGIkF3PH7ohKZvlqF4XePWxpY9dkr/pNyCF1PRkwxUURqvuHXbu8Lwn 8D3U2HeOEU3KmrfEo65DcbanJCMTTW7+mU9lZICPP7ZA9/zB+L0Gm1UNFZ6AU50N/86vjQfY WgkCd6dZD4rQ5y8L+d/lRbJW7ZGEQw1bSFVTRpkxxDTOwXH4/GpQfnfqTAtQuJ1CsKT12e+H NSD/RUWGTr289dA3P4nunBlz7qfvKamxPymHeBEUcuICKkL9/OZrnuYnGROFwcdvfjGE5iLB kjp/ttrY4aaVW5EsLASNgiRmA6mbgEAMlw3RwVx0sVelbiIAJg9Twzk4Ct6U9uBKiJ8S0sS2 8RCSyTmCRhJs0vvva5W9QUFGmp5kyFQEoSfBRJlbZfGX2ehI2Hi3U2/PMUm2ONuQG1E+a0AP u7I0NJc/Xil7rqR0gdbfkbWp0a+8dAvaM6J00aIcNo+HkcQkUgtfrw+C2Oyl3q8IjivGXZqT 5UdGUb2KujLjqjG91Dun3/RJ/qgQlotH7WkVBs7YJVTCxfkdN36rToPcnMYOI30FWa0Q06gn F6gUv9/mo6riv3A5bem/BdbgaJoPnWQD9D8wSyci9G4LKC+HQAMdLmGoeZfpJzKHMYIE0TCC BM0CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNl cnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcN AQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxEt+DANBglghkgBZQMEAgMFAKCCAiEwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUxMTEwMjAzOTUyWjBPBgkq hkiG9w0BCQQxQgRAIq88TGt1qkEKh3wVEaACpKpdcis1K5BUUI/S84fsikz9YrxTvtcda+e6 RcQMCn/2h3Bbm5WMhP/l//BktAWffzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGRBgkrBgEEAYI3EAQxgYMwgYAweTEQMA4GA1UE ChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlD QSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy dC5vcmcCAxEt+DCBkwYLKoZIhvcNAQkQAgsxgYOggYAweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxEt+DAN BgkqhkiG9w0BAQEFAASCAgCFy9avMr+Xzj1PZziiXyR8V7z01as/Z1e7KEZjoBuxJLrqUNYR Pjb/WNvjOyfk+JobTn75GB0EMdp4YceLa0lnvRUt5E+jNnVCLnWstUtSXKzsIpjPmTcjSPZN KbkWs2axObPQDickVVIefuKzfsAJa8Bp23NFVVApnvhvqxCARZ/bfcfxwuIlP3Nuv78Gn4ph jkyvoDjazkoCkqBx07edhmYc4hwazuKyko7na2PL/rAdf7ZFMfY/2fPHSXQg8u6+TShecLam DuwGUUpkCqIqKYcvdhvzpyVn30YOA9VCQ6Ei7S1poa5u5Mr0BElJg329VSaF7Ul12hxN70Ww Ht8eyMUS3LliuBL1be6TQaSl58Gsuct/eWJl7XfkdfpW4hFqCJ0LnOhVbtLI3lxfhxaAeb5e OtEFK33rUhNbRw31/YC52xwboORrz2fZpDEN8ArqK3YCNeUQzyA2MB573VH4XwdtV//OVNMv BORMUmls/C1pZoGmaJxJ66cOStegGM+emV2ePcNLuZhBBWLbuvHkiIhbvZFzGTp0tjjtJRKt 7oY7Ma/ZBpBPFkNlzrTIgHTkjxd3iSPqX9k7/vmMJ/ViSro8I+3NaCzziCaQTK2UoW/7YhJs reg9TOcl7pFLfX7ODw2JHBLcZQOP0yr3S3lKG/Hs4+BfHvecKkR1p1RX7QAAAAAAAA== --------------ms070503000101020509070609-- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/