Mail archive
alpine-devel

Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

From: William Pitcock <nenolod_at_dereferenced.org>
Date: Sun, 31 May 2015 05:02:50 -0500

Hello,

On Fri, May 29, 2015 at 8:07 PM, William Pitcock
<nenolod_at_dereferenced.org> wrote:
> Hello,
>
> On Fri, May 29, 2015 at 1:10 PM, Orion <systmkor_at_gmail.com> wrote:
>> # Note
>> Trying to get rid of SUID/SGID executables from alpine-mini most likely
>> will intruduce more complexity. I concede that this may not be worth the
>> effort for the alpine-mini ISO as an install medium but as installation
>> options, like choosing between between dropbear and openssh for your
>> ssh daemon.
>>
>> On Fri, 29 May 2015 11:42:31 -0500
>> William Pitcock <nenolod_at_dereferenced.org> wrote:
>>
>>> As far as I know there's no SUID/SGID enabled packages in alpine-mini
>>> other than bbsuid which we install to proxy only the SUID-needing bits
>>> of busybox.
>>
>> While most likely that is true there are programs that are symbolically
>> linked to /bin/bbsuid and don't strictly have to be.
>>
>> * /bin/ping
>> * /bin/ping6
>> * /usr/bin/traceroute
>
> I am preparing to push a busybox update which handles this using file
> capabilities as you mention below.

This is now in busybox-1.23.2-r1. I am still investigating how best
to handle migration to a TCB type thing.

bbsuid presently wraps:

===
const static char * applets[] = {
        "/bin/mount",
        "/bin/umount",
        "/usr/bin/crontab",
        "/usr/bin/passwd",
        "/usr/bin/su",
        NULL
};
===

It may be more interesting to extend capabilities to handle /bin/mount
and /bin/umount, or perhaps, require membership in a staff group to
use those commands. /usr/bin/passwd is handled by TCB and I believe
crontab can be handled by giving the user ownership of their crontab
file. /usr/sbin/su, should of course, be suid.

William


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Sun May 31 2015 - 05:02:50 UTC