Mail archive
alpine-devel

Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

From: William Pitcock <nenolod_at_dereferenced.org>
Date: Fri, 29 May 2015 20:07:47 -0500

Hello,

On Fri, May 29, 2015 at 1:10 PM, Orion <systmkor_at_gmail.com> wrote:
> # Note
> Trying to get rid of SUID/SGID executables from alpine-mini most likely
> will intruduce more complexity. I concede that this may not be worth the
> effort for the alpine-mini ISO as an install medium but as installation
> options, like choosing between between dropbear and openssh for your
> ssh daemon.
>
> On Fri, 29 May 2015 11:42:31 -0500
> William Pitcock <nenolod_at_dereferenced.org> wrote:
>
>> As far as I know there's no SUID/SGID enabled packages in alpine-mini
>> other than bbsuid which we install to proxy only the SUID-needing bits
>> of busybox.
>
> While most likely that is true there are programs that are symbolically
> linked to /bin/bbsuid and don't strictly have to be.
>
> * /bin/ping
> * /bin/ping6
> * /usr/bin/traceroute

I am preparing to push a busybox update which handles this using file
capabilities as you mention below.

> * /usr/bin/crontab

I think we could set it up so that crontab is owned by the individual
user, and then it doesn't really need SUID anymore. We could at least
make bbsuid drop privilege for the crontab case if it doesn't have to
initially create the crontab.

> * /usr/bin/passwd

This can be resolved using TCB shadow, which we already technically
support ala musl libc, but busybox doesn't.

> # passwd
> The openwall project provides a shadow file mechanism that removes the
> need for suid bit on passwd.
>
> * http://openwall.com/tcb/
>
> I've successfully compiled tcb on Alpine however I've not had the
> chance to fully test it.

This handles the case where systems are running PAM + shadow instead
of busybox login, but we need to make busybox aware of TCB too. This
will require some patching, but shouldn't be too complex. I might be
able to find some time to do it this weekend.

I feel however that integration of TCB shadow should be its own
release goal, as we need to test migration to tcb shadow and so on.

> # cron
> There are a variety of cron daemons out there and I believe one of them
> provides a more fine grained controlled cron system. I think bcron may
> be one.
>
> * http://untroubled.org/bcron/

How heavy is bcron? Is it compatible with our current crontabs, etc?
Replacing the cron should also be its own release goal so we can study
the impacts appropriately.

William


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Fri May 29 2015 - 20:07:47 GMT