From: Richard Weinberger <richard@nod.at>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: David Herrmann <dh.herrmann@gmail.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Greg KH <gregkh@linuxfoundation.org>,
Daniel Mack <daniel@zonque.org>,
Djalal Harouni <tixxdz@opendz.org>,
lkml <linux-kernel@vger.kernel.org>,
LSM <linux-security-module@vger.kernel.org>,
Paul Osmialowski <p.osmialowsk@samsung.com>,
Paul Moore <paul@paul-moore.com>
Subject: Re: kdbus: credential faking
Date: Fri, 10 Jul 2015 20:39:06 +0200 [thread overview]
Message-ID: <55A0114A.6030100@nod.at> (raw)
In-Reply-To: <55A01099.4030708@schaufler-ca.com>
Am 10.07.2015 um 20:36 schrieb Casey Schaufler:
> On 7/10/2015 11:02 AM, Richard Weinberger wrote:
>> On Fri, Jul 10, 2015 at 7:16 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>>> On 7/10/2015 9:26 AM, David Herrmann wrote:
>>>> Hi
>>>>
>>>> On Fri, Jul 10, 2015 at 5:59 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>>>> [...]
>>>>> There are so many ways uids are being (miss/ab)used
>>>>> on Linux systems these days that the idea of trusting a bus just
>>>>> because its non-root uid is listed in a table somewhere (or worse,
>>>>> coded in an API) is asking for exploits.
>>>> Please elaborate on these possible exploits. I'd also like to hear,
>>>> whether the same applies to the already used '/run/user/<uid>/bus',
>>>> which follows nearly the same model.
>>> Sorry, I'm not the exploit generator guy. If I where, I would
>>> point out that the application expecting the uid to identify
>>> a person is going to behave incorrectly on the system that uses
>>> the uid to identify an application. I never said that I liked
>>> /run/user/<uid>/bus. Come to think of it, I never said I like
>>> dbus, either.
>> What did you mean by uids are being abused or misused?
>
> The uid is intended to identify a human on a shared machine.
> The traditional Linux access control model assumes that the
> various users (identified by uid) are aware of what they are
> doing and sharing information in the way they intend. Further,
> they are responsible for the behavior of the programs that
> they run.
>
> On some systems the uid is being used as an application identifier
> instead of a human identifier. The access controls are not designed
> for this. The POSIX capabilities aren't designed for this. If Fred
> creates a program that is setuid to fred and gets Barney to run it,
> you hold Fred accountable. If a malicious (or compromised) application
> identified by "fred" creates a setuid fred program and the "barney"
> application runs it, who do you hold accountable? It's a completely
> different mindset. Sure, you can wedge the one into the other, but
> it's not the intended use. Hence, misuse or abuse.
>
> I understand the temptation to repurpose the uid on a single user
> platform. It's easy to explain and works at the slideware level.
> It's a whole lot easier than creating a security module to do the
> job correctly, although there's work underway to address that issue.
Thanks a lot for pointing this out.
Things are much clearer now. :)
Thanks,
//richard
next prev parent reply other threads:[~2015-07-10 18:39 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-09 18:26 kdbus: credential faking Stephen Smalley
2015-07-09 22:22 ` David Herrmann
2015-07-09 22:56 ` Casey Schaufler
2015-07-10 9:05 ` David Herrmann
2015-07-10 13:29 ` Stephen Smalley
2015-07-10 13:25 ` Stephen Smalley
2015-07-10 13:43 ` David Herrmann
2015-07-10 14:20 ` Martin Steigerwald
2015-07-10 14:25 ` Martin Steigerwald
2015-07-10 14:47 ` Stephen Smalley
2015-07-10 14:57 ` Alex Elsayed
2015-07-10 16:20 ` Casey Schaufler
2015-07-10 16:30 ` Alex Elsayed
2015-07-10 17:46 ` Casey Schaufler
2015-07-10 16:48 ` David Herrmann
2015-07-10 18:13 ` Stephen Smalley
2015-07-10 22:04 ` Greg KH
2015-07-10 15:59 ` Casey Schaufler
2015-07-10 16:26 ` David Herrmann
2015-07-10 17:16 ` Casey Schaufler
2015-07-10 18:02 ` Richard Weinberger
2015-07-10 18:36 ` Casey Schaufler
2015-07-10 18:39 ` Richard Weinberger [this message]
2015-07-11 11:30 ` Richard Weinberger
2015-07-11 11:02 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55A0114A.6030100@nod.at \
--to=richard@nod.at \
--cc=casey@schaufler-ca.com \
--cc=daniel@zonque.org \
--cc=dh.herrmann@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=p.osmialowsk@samsung.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=tixxdz@opendz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.