~alpine/devel

2

Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

Orion
Details
Message ID
<20150529111035.0f06eb3e@twinpeaks.my.domain>
Sender timestamp
1432923035
DKIM signature
missing
Download raw message
# Note
Trying to get rid of SUID/SGID executables from alpine-mini most likely
will intruduce more complexity. I concede that this may not be worth the
effort for the alpine-mini ISO as an install medium but as installation
options, like choosing between between dropbear and openssh for your
ssh daemon.

On Fri, 29 May 2015 11:42:31 -0500
William Pitcock <nenolod@dereferenced.org> wrote:

> As far as I know there's no SUID/SGID enabled packages in alpine-mini
> other than bbsuid which we install to proxy only the SUID-needing bits
> of busybox.

While most likely that is true there are programs that are symbolically
linked to /bin/bbsuid and don't strictly have to be.

* /bin/ping
* /bin/ping6
* /usr/bin/crontab
* /usr/bin/passwd
* /usr/bin/traceroute


# network tools
Could the need for /bin/bbsuid be possibly removed by using extended
file capabilities?


# passwd
The openwall project provides a shadow file mechanism that removes the
need for suid bit on passwd. 

* http://openwall.com/tcb/

I've successfully compiled tcb on Alpine however I've not had the
chance to fully test it.


# cron
There are a variety of cron daemons out there and I believe one of them
provides a more fine grained controlled cron system. I think bcron may
be one.

* http://untroubled.org/bcron/

-- 
keybase.io/systmkor

Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

William Pitcock
Details
Message ID
<CA+T2pCF+FcECb_NYr=8x_JMvMmW_VwYBKm=jWonN8wrjw=1_3w@mail.gmail.com>
In-Reply-To
<20150529111035.0f06eb3e@twinpeaks.my.domain> (view parent)
Sender timestamp
1432948067
DKIM signature
missing
Download raw message
Hello,

On Fri, May 29, 2015 at 1:10 PM, Orion <systmkor@gmail.com> wrote:
> # Note
> Trying to get rid of SUID/SGID executables from alpine-mini most likely
> will intruduce more complexity. I concede that this may not be worth the
> effort for the alpine-mini ISO as an install medium but as installation
> options, like choosing between between dropbear and openssh for your
> ssh daemon.
>
> On Fri, 29 May 2015 11:42:31 -0500
> William Pitcock <nenolod@dereferenced.org> wrote:
>
>> As far as I know there's no SUID/SGID enabled packages in alpine-mini
>> other than bbsuid which we install to proxy only the SUID-needing bits
>> of busybox.
>
> While most likely that is true there are programs that are symbolically
> linked to /bin/bbsuid and don't strictly have to be.
>
> * /bin/ping
> * /bin/ping6
> * /usr/bin/traceroute

I am preparing to push a busybox update which handles this using file
capabilities as you mention below.

> * /usr/bin/crontab

I think we could set it up so that crontab is owned by the individual
user, and then it doesn't really need SUID anymore.  We could at least
make bbsuid drop privilege for the crontab case if it doesn't have to
initially create the crontab.

> * /usr/bin/passwd

This can be resolved using TCB shadow, which we already technically
support ala musl libc, but busybox doesn't.

> # passwd
> The openwall project provides a shadow file mechanism that removes the
> need for suid bit on passwd.
>
> * http://openwall.com/tcb/
>
> I've successfully compiled tcb on Alpine however I've not had the
> chance to fully test it.

This handles the case where systems are running PAM + shadow instead
of busybox login, but we need to make busybox aware of TCB too.  This
will require some patching, but shouldn't be too complex.  I might be
able to find some time to do it this weekend.

I feel however that integration of TCB shadow should be its own
release goal, as we need to test migration to tcb shadow and so on.

> # cron
> There are a variety of cron daemons out there and I believe one of them
> provides a more fine grained controlled cron system. I think bcron may
> be one.
>
> * http://untroubled.org/bcron/

How heavy is bcron?  Is it compatible with our current crontabs, etc?
Replacing the cron should also be its own release goal so we can study
the impacts appropriately.

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

William Pitcock
Details
Message ID
<CA+T2pCGX0QovNn65CRNj3psBGqEqyCqsS2tQ3YHJs7geamWFnA@mail.gmail.com>
In-Reply-To
<CA+T2pCF+FcECb_NYr=8x_JMvMmW_VwYBKm=jWonN8wrjw=1_3w@mail.gmail.com> (view parent)
Sender timestamp
1433066570
DKIM signature
missing
Download raw message
Hello,

On Fri, May 29, 2015 at 8:07 PM, William Pitcock
<nenolod@dereferenced.org> wrote:
> Hello,
>
> On Fri, May 29, 2015 at 1:10 PM, Orion <systmkor@gmail.com> wrote:
>> # Note
>> Trying to get rid of SUID/SGID executables from alpine-mini most likely
>> will intruduce more complexity. I concede that this may not be worth the
>> effort for the alpine-mini ISO as an install medium but as installation
>> options, like choosing between between dropbear and openssh for your
>> ssh daemon.
>>
>> On Fri, 29 May 2015 11:42:31 -0500
>> William Pitcock <nenolod@dereferenced.org> wrote:
>>
>>> As far as I know there's no SUID/SGID enabled packages in alpine-mini
>>> other than bbsuid which we install to proxy only the SUID-needing bits
>>> of busybox.
>>
>> While most likely that is true there are programs that are symbolically
>> linked to /bin/bbsuid and don't strictly have to be.
>>
>> * /bin/ping
>> * /bin/ping6
>> * /usr/bin/traceroute
>
> I am preparing to push a busybox update which handles this using file
> capabilities as you mention below.

This is now in busybox-1.23.2-r1.  I am still investigating how best
to handle migration to a TCB type thing.

bbsuid presently wraps:

===
const static char * applets[] = {
        "/bin/mount",
        "/bin/umount",
        "/usr/bin/crontab",
        "/usr/bin/passwd",
        "/usr/bin/su",
        NULL
};
===

It may be more interesting to extend capabilities to handle /bin/mount
and /bin/umount, or perhaps, require membership in a staff group to
use those commands.  /usr/bin/passwd is handled by TCB and I believe
crontab can be handled by giving the user ownership of their crontab
file.  /usr/sbin/su, should of course, be suid.

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---