From: Klaus Ethgen <Klaus+lkml@ethgen.de>
To: linux-kernel@vger.kernel.org
Subject: Kernel 4.3 breaks security in systems using capabilities
Date: Mon, 2 Nov 2015 19:06:25 +0100 [thread overview]
Message-ID: <20151102180624.GA28014@ikki.ethgen.ch> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
I read recently about patch 58319057b7847667f0c9585b9de0e8932b0fdb08
which made it into kernel 4.3 recently. And I have to say that I was
shocked on how could such a patch that breaks normal use of capabilities
make it into the kernel.
Usually I have set very own crafted capabilities set to files instead of
having them SUID root. With that, I have a comparable set of inheritable
capabilities set for limited users. That allows me to nearly drop all
SUID binaries and replace it by only giving the processes the
capabilities they need but only if the users are allowed to act with
that capabilities. Especially, and that is important, it inhibit any
leak of rights to any forked process, be it indented or by a security
problem of the binary.
With the patch above, any process that is spawned by such a program will
inherit the raised capabilities if it has no own filecapabilities set.
Even worse, even every user made tool can be target for such
escalations! That drives the benefits in security of capabilities over
SUID ad-absurdum.
Let me add here, that I disagree with Andy Lutomirski about the
usefulness of capability inheritance in kernels before that patch. They
was fully usefull to only allow selective capabilities if both, the
binary and the user was allowed to use it. I never want to have any
capabilities for processes that I did not allow them to have. Even
worse, I never want any capabilities allowed for any shell. It is
horrible to even think about such a possibility!.
> Users with nonzero pA are unlikely to unintentionally leak that
> capability. If they run programs that try to drop privileges, dropping
> privileges will still work.
Even that is naiv. There are only few programs out there that do
actively drop privileges. Most are agnostic about capabilities. But this
crappy patch introduce a need for _every_ tool to drop all capabilities
right after start to stay in a secure system.
So please revert that patch as fast as possible before it does some harm
by getting into some real world systems!
Regards
Klaus Ethgen
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJWN6YaAAoJEKZ8CrGAGfasRGwL/2g3XmG3h1rpidmJnUsMlmvf
YdBSSKdgX8U371WANxoGPzmjE9raQX+Ccn713z8csB/Xnh3AuQMvDsRfX9qWhYCy
eDEE3NxaDvlKzZkDDvZk5TFuFI8iHBIndgkYdN6AYg60aUt9GRYEVIZ9AtZ0t2LG
/x9v7ecF0BEmJRK/Hf6uBfmGsh1sisyJzDtkvh4z/P6RUh/96W0sMZTi0MGolfvT
6B8WPWnyOVRHmxwq1/2rExOr4rwyiDhOc+oGHzj+XfIh30pXUZnlom7w0M5cro61
jK/bJbCQJdqgADp3Nuizf6WUCt/adKqwmlAmKD2kFSFOtUG0A32jdhcqLKBO5aWX
5Cm2lub5a7mdM1hSRGDKzmrQ4phQZNqGUHXG2TOiit5IbmcA0AEyy091oB15Rf6x
xnOoe7nIIPsoDlbfMoQq7qPvbIB4gXimoJtKI4+T4AKr068XWfXeswAYc8V1yviJ
o4R6ja52HwEZ/PykLJFmtiEcfYDQQeT2eADj0kN7rQ==
=m53H
-----END PGP SIGNATURE-----
next reply other threads:[~2015-11-02 18:06 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-02 18:06 Klaus Ethgen [this message]
2015-11-02 18:38 ` Kernel 4.3 breaks security in systems using capabilities Richard Weinberger
2015-11-02 18:50 ` Andy Lutomirski
2015-11-02 19:16 ` [KERNEL] " Klaus Ethgen
2015-11-02 19:45 ` Andy Lutomirski
2015-11-05 10:19 ` [KERNEL] " Klaus Ethgen
2015-11-05 16:15 ` Serge E. Hallyn
2015-11-05 17:17 ` [KERNEL] " Klaus Ethgen
2015-11-05 17:34 ` Serge E. Hallyn
2015-11-05 17:48 ` [KERNEL] " Klaus Ethgen
2015-11-05 19:01 ` Andy Lutomirski
2015-11-05 22:08 ` Serge E. Hallyn
2015-11-06 13:58 ` [KERNEL] " Klaus Ethgen
2015-11-06 15:53 ` Theodore Ts'o
2015-11-06 17:15 ` Andy Lutomirski
2015-11-06 17:51 ` Casey Schaufler
2015-11-06 18:05 ` Serge E. Hallyn
2015-11-06 17:56 ` [KERNEL] " Klaus Ethgen
2015-11-06 18:18 ` Serge E. Hallyn
2015-11-07 11:02 ` [KERNEL] " Klaus Ethgen
2015-11-08 17:05 ` Serge E. Hallyn
2015-11-09 16:28 ` Austin S Hemmelgarn
2015-11-09 17:23 ` [KERNEL] " Klaus Ethgen
2015-11-09 19:02 ` Austin S Hemmelgarn
2015-11-09 21:29 ` [KERNEL] " Klaus Ethgen
2015-11-10 0:06 ` Andy Lutomirski
2015-11-10 11:55 ` [KERNEL] " Klaus Ethgen
2015-11-10 12:40 ` Theodore Ts'o
2015-11-10 13:19 ` [KERNEL] [PATCH] " Klaus Ethgen
2015-11-10 13:35 ` Austin S Hemmelgarn
2015-11-10 17:58 ` [KERNEL] " Klaus Ethgen
2015-11-10 20:39 ` Austin S Hemmelgarn
2015-11-10 13:41 ` Klaus Ethgen
2015-11-11 2:04 ` Theodore Ts'o
2015-11-11 10:14 ` [KERNEL] " Klaus Ethgen
2015-11-11 10:54 ` Theodore Ts'o
2015-11-11 11:13 ` [KERNEL] " Klaus Ethgen
2015-11-10 15:25 ` [KERNEL] Re: [KERNEL] Re: [KERNEL] " Christoph Lameter
2015-11-05 16:19 ` Andy Lutomirski
2015-11-05 17:22 ` [KERNEL] " Klaus Ethgen
2015-11-02 18:52 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151102180624.GA28014@ikki.ethgen.ch \
--to=klaus+lkml@ethgen.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.