Re: Bug in how capability inheritance is handled in "fs/exec.c", 2.3.99

From: Linda Walsh (law@sgi.com)
Date: Mon May 29 2000 - 20:42:37 EST

Next message: Robert A. Hayden: "Holy Exploding Kernels, Batman! (Arkeia software)"
Previous message: Juan J. Quintela: "Re: PATCH: Rewrite of truncate_inode_pages (WIP)"
In reply to: Theodore Y. Ts'o: "Re: Bug in how capability inheritance is handled in "fs/exec.c", 2.3.99"
Next in thread: Pavel Machek: "Re: Bug in how capability inheritance is handled in "fs/exec.c", 2.3.99"
Reply: Pavel Machek: "Re: Bug in how capability inheritance is handled in "fs/exec.c", 2.3.99"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Theodore Y. Ts'o" wrote:
> I think I actually overstated things when I said that "root shell" is
> prohibited. It doesn't have to run with PIE=(0,0,0). Linda was right
> on that score. (That is one way of doing things, but it's not the only
> way of doing things.)
>
> Still, even given that you're running with a shell with privileges,
> given that most executables have a PIE of (0,0,0), it means that they
> won't inherit any privileges by default. So "rm" would only get
> privileges if it was explicitly allowed to inherit DAC override (for
> example --- no reason to allow it to inherit CAP_SETUID, or CAP_SETPCAP,
> or any other privilege).

---
	For a simple first pass at a secure system, one would come up
with a set of security-reviewed programs (called the Trusted Computing
Base or TCB).  In the simplest case -- once you have file based
capabilities (or a default capset for a mount), all your executables 
in the TCB get set w/PIE=(0,all,all):
For root (PIE=all,all,all) and corrected rules of:
1) pI' = pI & fI
2) pP' = fp | (pI' & pP)
3) pE' = fE & pP'
pI' = all & all => all
pP' = 0 | (all & all) => all
pE' = all & all => all
new PIE=(all,all,all) for root
for uid!=root, PIE=(0,0,0)
pI' = 0 & all => 0
pP' = 0 | (0 & 0) => 0
pE' = all & 0 => 0
new PIE=(0,0,0) for non-root.
To have same semantics as SUID=root, a file would have PIE=(all,all,all)
For root, I won't bother to compute, new PIE=(all,all,all)
for non-root:
pI'= 0 & all => 0
pP'= all | (0 & 0) => all
pE'= all & all =>all
new PIE=(all,0,all) - which means any executed programs will default
		      to inheriting *no priviledges* from the suid program.
		      This is *DESIRABLE*.  For privileges to be propagated,
		      The SUID program would have to explicitly set
		      its Inheritable set.  This means the default is
		      to not propagate.  This is a 'good' thing.  Exec'ing
		      a shell out of a SUID program through a buffer
		      exploit will default to a capset of (0,0,0) in the
		      shell.  Seems, at least, moderately useful...
-l
-- 
Linda A Walsh                    | Trust Technology, Core Linux, SGI
law@sgi.com                      | Voice: (650) 933-5338
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Robert A. Hayden: "Holy Exploding Kernels, Batman! (Arkeia software)"
Previous message: Juan J. Quintela: "Re: PATCH: Rewrite of truncate_inode_pages (WIP)"
In reply to: Theodore Y. Ts'o: "Re: Bug in how capability inheritance is handled in "fs/exec.c", 2.3.99"
Next in thread: Pavel Machek: "Re: Bug in how capability inheritance is handled in "fs/exec.c", 2.3.99"
Reply: Pavel Machek: "Re: Bug in how capability inheritance is handled in "fs/exec.c", 2.3.99"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed May 31 2000 - 21:00:23 EST