X-Original-To: alpine-devel@mail.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1])
	by mail.alpinelinux.org (Postfix) with ESMTP id 68707DC09EC
	for <alpine-devel@mail.alpinelinux.org>; Sat, 30 May 2015 01:07:54 +0000 (UTC)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id 15933DC00A7
	for <alpine-devel@lists.alpinelinux.org>; Sat, 30 May 2015 01:07:48 +0000 (UTC)
Received: by wicmx19 with SMTP id mx19so31908194wic.0
        for <alpine-devel@lists.alpinelinux.org>; Fri, 29 May 2015 18:07:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=JH5VPCBJ8jB807JzGQQawEZlZcXc+L2g0X7BD9HUt8I=;
        b=hjXbC0mxwqldPBSk0sx+mtE/Eev9w1azuDiUlbMzgPujL4ELIzpph5Ph7qTAPFFqPM
         9uRzspdyWrE7bzF+jHvIxrPr2QpEMs1QHKSFrnn4MKGK+/rcHQoaZcb+9caXqcGi98px
         lpnZT3uugKjaLvwBpbjzZtZtii/CZRvOuAVoDDFBhfTHpllMK1ClG9xtH2a+pIK5DlBI
         HwDXveMYpry94MGtcs1VJDuj9Qt4qixSl77EEqXbNyQtrPwqR3cwSJqWRAPpV9XkoHOi
         2Ek0R1GP4vmWIbxwFLgiHdL0IFkn1/0Y3lN8SA8dgYACU1jrpLQsxnOpK6vN29Z7GzCe
         qsJA==
X-Gm-Message-State: ALoCoQkc0qQCaVGZx7BzXixQWasNmaf2SFVek0so4bDf9rTXqJLRwMqW0r1hrFCHelQ56VgBzD9O
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
X-Received: by 10.194.23.197 with SMTP id o5mr20283727wjf.75.1432948067275;
 Fri, 29 May 2015 18:07:47 -0700 (PDT)
Received: by 10.180.189.5 with HTTP; Fri, 29 May 2015 18:07:47 -0700 (PDT)
In-Reply-To: <20150529111035.0f06eb3e@twinpeaks.my.domain>
References: <CA+T2pCFTMLEuZjsYCbXVK7GEG3v0S9EvP5FkbboS+mKRK9_0yA@mail.gmail.com>
	<20150527131901.790405cc@twinpeaks.my.domain>
	<CA+T2pCHxaJ97hH0TyCraCvd8rrcfT+Mn=g1ruzJav9N1XPSTeA@mail.gmail.com>
	<20150529111035.0f06eb3e@twinpeaks.my.domain>
Date: Fri, 29 May 2015 20:07:47 -0500
Message-ID: <CA+T2pCF+FcECb_NYr=8x_JMvMmW_VwYBKm=jWonN8wrjw=1_3w@mail.gmail.com>
Subject: Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as
 much as possible
From: William Pitcock <nenolod@dereferenced.org>
To: Orion <systmkor@gmail.com>
Cc: alpine-devel@lists.alpinelinux.org
Content-Type: text/plain; charset=UTF-8
X-Virus-Scanned: ClamAV using ClamSMTP

Hello,

On Fri, May 29, 2015 at 1:10 PM, Orion <systmkor@gmail.com> wrote:
> # Note
> Trying to get rid of SUID/SGID executables from alpine-mini most likely
> will intruduce more complexity. I concede that this may not be worth the
> effort for the alpine-mini ISO as an install medium but as installation
> options, like choosing between between dropbear and openssh for your
> ssh daemon.
>
> On Fri, 29 May 2015 11:42:31 -0500
> William Pitcock <nenolod@dereferenced.org> wrote:
>
>> As far as I know there's no SUID/SGID enabled packages in alpine-mini
>> other than bbsuid which we install to proxy only the SUID-needing bits
>> of busybox.
>
> While most likely that is true there are programs that are symbolically
> linked to /bin/bbsuid and don't strictly have to be.
>
> * /bin/ping
> * /bin/ping6
> * /usr/bin/traceroute

I am preparing to push a busybox update which handles this using file
capabilities as you mention below.

> * /usr/bin/crontab

I think we could set it up so that crontab is owned by the individual
user, and then it doesn't really need SUID anymore.  We could at least
make bbsuid drop privilege for the crontab case if it doesn't have to
initially create the crontab.

> * /usr/bin/passwd

This can be resolved using TCB shadow, which we already technically
support ala musl libc, but busybox doesn't.

> # passwd
> The openwall project provides a shadow file mechanism that removes the
> need for suid bit on passwd.
>
> * http://openwall.com/tcb/
>
> I've successfully compiled tcb on Alpine however I've not had the
> chance to fully test it.

This handles the case where systems are running PAM + shadow instead
of busybox login, but we need to make busybox aware of TCB too.  This
will require some patching, but shouldn't be too complex.  I might be
able to find some time to do it this weekend.

I feel however that integration of TCB shadow should be its own
release goal, as we need to test migration to tcb shadow and so on.

> # cron
> There are a variety of cron daemons out there and I believe one of them
> provides a more fine grained controlled cron system. I think bcron may
> be one.
>
> * http://untroubled.org/bcron/

How heavy is bcron?  Is it compatible with our current crontabs, etc?
Replacing the cron should also be its own release goal so we can study
the impacts appropriately.

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---