From: ludo@gnu.org (Ludovic Courtès)
To: sbaugh@catern.com
Cc: guix-devel@gnu.org
Subject: Re: Providing an alternative to setuid in GuixSD
Date: Wed, 26 Oct 2016 14:24:18 +0200 [thread overview]
Message-ID: <878ttbti19.fsf@gnu.org> (raw)
In-Reply-To: <87funnhz7h.fsf@catern.com> (sbaugh@catern.com's message of "Sun, 23 Oct 2016 11:17:22 -0400")
Hello!
sbaugh@catern.com skribis:
> == Why remove setuid binaries? ==
>
> setuid binaries are problematic for two reasons:
>
> 1. Each binary is an attack surface which is frequently exploited by
> attackers for local privilege escalation. So getting rid of them
> would improve security.
>
> 2. setuid binaries make access control decisions in an environment
> controlled by the user running them, by looking at files at absolute
> paths in that environment, such as /etc/passwd. Thus, if unprivileged
> users had access to chroot or other filesystem namespacing
> functionality, those users could escalate privileges by manipulating
> /etc/passwd, /etc/shadow, /etc/sudoers, and then running a setuid
> binary. So unprivileged chroot is not possible.
>
> Issue 2 is a matter near and dear to our hearts here in guix-land, and
> is my primary motivation. My understanding is that if we eliminated
> all setuid binaries, we could with some confidence begin to allow
> unprivileged access to chroot/filesystem namespaces, without first
> going through user namespaces (which have their own issues). Please
> correct me if you believe this is wrong.
>
> Unprivileged access to chroot would of course greatly aid unprivileged
> installation of guix.
Well, the kernel Linux will forever support setuid binaries and thus,
most likely, chroot(2) will forever be restricted to root.
So I think removing setuid binaries on GuixSD is helpful for GuixSD
itself, but not for other distros (at least not directly so).
> I think also the ability to build a setuid-free system could make GuixSD
> a useful platform for innovation in the use of filesystem namespaces. (I
> myself certainly have plans in this area.)
Our ‘linux-libre’ package has support for user namespaces and other
namespaces built in already (this is the default kernel config I think),
so one can already play with namespaces on GuixSD and on other distros
that enable it. :-)
> == How to do it ==
>
> Most (all?) setuid binaries can be replaced with a non-setuid binary
> which performs local IPC to a privileged daemon.
>
> The largest targets for elimination are sudo and su. Luckily there is
> already a ready alternative for those commands: ssh. We can augment lsh
SSH is a complex protocol and its implementations are complex too. I
would find it unreasonable to replace ‘su’ and ‘sudo’ with something
this complex, that goes through the TCP/IP stack, etc.
> Does this plan makes sense in the context of GuixSD? Am I leaving out
> anything?
I don’t know, I’m skeptical! :-)
However, I agree that GuixSD has more latitude as to how it deals with
privileges, notably because the set of users, setuid binaries, and other
relevant bits is all described in ‘operating-system’.
Ludo’.
next prev parent reply other threads:[~2016-10-26 12:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-23 15:17 Providing an alternative to setuid in GuixSD sbaugh
2016-10-24 0:09 ` Chris Marusich
2016-10-24 22:01 ` sbaugh
2016-10-26 12:24 ` Ludovic Courtès [this message]
2016-10-26 14:40 ` sbaugh
2016-10-28 13:34 ` Ludovic Courtès
2016-10-29 21:41 ` sbaugh
2016-10-26 17:52 ` Christopher Allan Webber
2016-10-26 18:34 ` sbaugh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878ttbti19.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=sbaugh@catern.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).