Re: [security] Race condition in udev

[Mr POSIX <scott@canonical.com>]

On Tue, 2009-08-25 at 20:38 +0200, Florian Zumbiehl wrote:

> Or in more general terms: Well, yeah, there probably are many userspace
> configurations where such permissions would not be a wise thing to use.
> But still, there probably are just as many cases that are perfectly
> safe
> 
No, there really isn't.

Let's go back to basics of the UNIX security. model, and most
importantly, how this is *interpreted* by applications.


The model is one of "grant".  That is to say, that to be able to perform
any privileged action, you must be granted that privilege.

Even your uid is a "grant" of privilege, it enables you to communicate
and change other processes running under that same uid.

Likewise a gid is a "grant" of privilege.


Therefore there is an assumption that a newly created user, with a
unique uid and gid not used anywhere, has effectively no privilege.
This assumption is used in many places, but most notably when daemons
and services run as a user of their own - or even the "nobody" user.

Your example breaks this assertion.  By giving a user or group *less*
privilege than other users, you have effectively granted a privilege to
"nobody" and secure users that genuine users *do not have*.

Put simply, a mask should decrease in value when read from left to right
- 755 is valid, 577 isn't.


Giving a user or group less privilege than "anybody else" is easy to
circumvent, because the basic assumption is that by changing user or
adding a group you are *gaining* privilege. not dropping it - and thus
by switching to a "nobody" user you are *dropping* privilege not gaining
it.

Scott
-- 
Scott James Remnant
scott@canonical.com