Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751835AbXAVAyI (ORCPT ); Sun, 21 Jan 2007 19:54:08 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751833AbXAVAyI (ORCPT ); Sun, 21 Jan 2007 19:54:08 -0500 Received: from 69-100-st.zelcom.ru ([80.92.100.69]:4245 "EHLO etherstorm.feelingofgreen.ru" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1751834AbXAVAyG (ORCPT ); Sun, 21 Jan 2007 19:54:06 -0500 Date: Mon, 22 Jan 2007 03:54:03 +0300 Message-ID: <87ps97vq38.wl@betelheise.deep.net> From: Samium Gromoff <_deepfire@feelingofgreen.ru> To: David Wagner Cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH] Undo some of the pseudo-security madness User-Agent: Wanderlust/2.15.5 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/23.0.51 (i486-pc-linux-gnu) MULE/5.0 (SAKAKI) X-Face: "P-:w!.&Hdk.h~~pT`!Q%H6;/8Cce^m&%vIn"W-SXb4h88dCgwD\_}N5:\}lowY2gxg0u^wVO*L\$C@MvBDRTmh/=,468w{W{OTc$kfq5O9Y!`pd+N}SMHrN+Gs>jXe5}}EL`cRbc0^_0cZ-}M\b~55I;Qe$1uL8M`M`82<_%CQ(GwLk."M>zBLn:-u>n,$kjH`~Uo[pH`08#\G!GVMd`%7![m9]*w5PMts4@m>=;lX41Z90N MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3407 Lines: 76 David Wagner wrote: > Samium Gromoff wrote: > >[...] directly setuid root the lisp system executable itself [...] > > Like I said, that sounds like a bad idea to me. Sounds like a recipe for > privilege escalation vulnerabilities. Was the lisp system executable > really implemented to be secure even when you make it setuid root? > Setting the setuid-root bit on programs that didn't expect to be > setuid-root is generally not a very safe thing to do. [1] 1. Unsafe setuid programs have been written, and they doubtlessly will continue to be written. 2. Lisp systems are written by extremely competent people. (who make mistakes nonetheless, but still..) 3. I think that the ability to choose whether or not to shoot oneself in the foot is an important freedom. 4. The whole issue is a little bit unfair, because the UNIX world is inherently C-centric -- everything outside the C niche does not, indeed, fit flawlessly in the picture.. This is where the "if you want to write system software, do it in C" model comes from. 5. If a killer use-case is needed, an X server might do -- these need root privileges for a certain period. What if i decide that i want to write one in Lisp? > The more I hear, the more unconvinced I am by this use case. > > If you don't care about the security issues created by (mis)using the lisp > interpreter in this way, then like I suggested before, you can always ^^^^^^^^^^^ make that a compiler -- these days, probably, there are more native-bytecode-generating lisp compilers than interpreters. > write a tiny setuid-root wrapper program that turns off address space > randomization and exec()s the lisp system executable, and leave the lisp > system executable non-setuid and don't touch the code in the Linux kernel. > That strikes me as a better solution: those who don't mind the security > risks can take all the risks they want, without forcing others to take > unwanted and unnecessary risks. This might sound as a reasonable solution. Although it places a certain burden, which has to be considered... I should see what the SBCL people will say about that. > It's not that I'm wedded to address space randomization of setuid > programs, or that I think it would be a disaster if this patch were > accepted. Local privilege escalation attacks aren't the end of the world; > in all honesty, they're pretty much irrelevant to many or most users. > It's just that the arguments I'm hearing advanced in support of this > change seem dubious, and the change does eliminate one of the defenses > against a certain (narrow) class of attacks. > > > [1] In comparison, suidperl was designed to be installed setuid-root, > and it takes special precautions to be safe in this usage. (And even it > has had some security vulnerabilities, despite its best efforts, which > illustrates how tricky this business can be.) Setting the setuid-root > bit on a large complex interpreter that wasn't designed to be setuid-root > seems like a pretty dubious proposition to me. Compiler, not interpreter, careful with the insults :-) regards, Samium Gromoff P.S. please cc me, as i am not subscribed to the list... - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/