Fedora and CAPP [LWN.net]

By Jake Edge
December 10, 2008

Removing the ability for regular users to execute "system" programs has a certain appeal, but does it really provide any extra security? A thread on the fedora-devel mailing list explores that question in the context of usermod (and other, similar tools), which had their permissions changed more than two years ago in an effort to meet security certification requirements. Whether these changes, and at some level the certifications themselves, actually increase the security of the system is the open question.

Callum Lerwick noticed that running usermod no longer worked as a regular user. He has a habit of doing that to get a quick overview of the command syntax and options from the help page, but unless he uses sudo, that doesn't work. That was done on purpose as Steve Grubb describes:

These should have been gone for quite a while...and on purpose. You cannot do anything with them unless you are root. Allowing anyone even to execute them would require lots of bad things for our LSPP/CAPP evaluations.

LSPP and CAPP are two protection profiles that are used for Common Criteria security certifications (such as EAL3) that Red Hat Enterprise Linux (RHEL) has earned. Because these tools can modify trusted databases (e.g. /etc/shadow), attempts to run them by untrusted users must be added to the audit log in order to comply with the certifications. But adding audit events requires the CAP_AUDIT_WRITE capability bit; in today's systems that effectively means setuid(0). As Grubb puts it: "IOW, if we open the permissions, we need to make these become setuid root so that we send audit events saying they failed."

Leaving aside the idea that only processes with root permissions are allowed to generate auditable events—which seems a bit bizarre—there is still the question of how much protection is provided by changing the file permissions. Seth Vidal asks:

And do we seriously think we can keep the code away from a non-root user by chmodd'ing the binaries? A user can get a binary for anything fedora can install in about 30s w/firefox.

Allowing users to download binaries "takes the system out of the certified configuration", according to Grubb, "So, if you need to be in the CAPP certified configuration, don't let users do this." This fairly clearly demonstrates the dubious nature of the security afforded by the current certifications. For the most part, the protection profiles define away nearly all of the interesting threats that most systems face today.

To a large extent, CAPP/LSPP certifications are the kinds of things listed in marketing materials for "enterprise" operating systems rather than serious attempts to address the real security needs of the vast majority of network connected systems. Grubb provides an excellent overview of some of the requirements of CAPP, along with how they are implemented in Fedora as part of the discussion. The CAPP information page gives the full story, however:

The CAPP provides for a level of protection, which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well-funded attackers to breach system security.

But CAPP does require that all attempts to modify trusted databases like the shadow password file generate an audit trail, so there is a lower-level audit rule set up for that file. Any access to /etc/shadow, for example, is logged as Grubb describes in his overview. That, though, begs other questions as Lerwick points out:

So we *are* auditing low level filesystem calls? So then what, other than security theater, does auditing execution of usermod gain us?

The answer is that auditing execution of usermod by non-root users gains exactly one thing: CAPP compliance. It requires that binaries which modify trusted databases leave an audit trail. Even though any actual attempt to access the underlying file will be logged, just accessing the binary that could modify the file is also something that must be logged.

Part of the dismay displayed in the thread comes from the fact that Fedora will probably never be certified with CAPP for any number of reasons. So taking away longstanding user abilities, though there are reasonable alternatives like man usermod, for a certification that won't be done, doesn't sit well with some in the Fedora community. Though, as Jef Spaleta notes, there might be a use for the certification in a Fedora spin:

Is there need for certified 'appliance' situations that a new 3rd party could leverage Fedora to create? I can imagine all sorts of no network software appliance situations where the CAPP certification applies and a Fedora derived image would be a good development target.

There is always going to be tension between the security needs of an "enterprise" distribution like RHEL and a more user/desktop-oriented distribution like Fedora. While the specific reduced functionality in this case is fairly minimal, the discussion increased the visibility of the auditing required for certification as well as what that means for both distributions. The original decision was made back in the Fedora Core days when there was much less visibility and community input into the process. Discussions like this will only help continue the process of opening up Fedora while also exposing some of the inadequacies of security certifications.

(Log in to post comments)

Minor correction

Posted Dec 11, 2008 15:08 UTC (Thu) by jake (editor, #205) [Link]

> I believe it's Jef Spaleta

I believe so too, but he should probably tell his mail program which is rudely putting "Jeff Spaleta" in the From header as can be seen here.

jake

Oh Jak, Jak ....

Posted Dec 11, 2008 15:54 UTC (Thu) by felixfix (subscriber, #242) [Link]

I am surprised you did not take the opportunity to modify your signature.

One chance for immortality :-)

Minor correction

Posted Dec 11, 2008 16:14 UTC (Thu) by cry_regarder (subscriber, #50545) [Link]

That was actually me fixing my typo...

Cry

Minor correction

Posted Dec 11, 2008 19:19 UTC (Thu) by jspaleta (subscriber, #50639) [Link]

Uhm... I didnt write the comment you cite.

-jef

Correcting the correction - thanks

Posted Dec 11, 2008 19:39 UTC (Thu) by pr1268 (subscriber, #24648) [Link]

Oops, sorry 'bout that. Thanks for correcting the correction. And thanks to cry_regarder likewise.

usermod as non-root user

Posted Dec 11, 2008 3:18 UTC (Thu) by pr1268 (subscriber, #24648) [Link]

I was wondering the same... I believe that the second paragraph answers this—Callum Lerwick was running it (presumably without any arguments) to get a quick reference on how to use it. Which I do occasionally for unfamiliar shell commands when I don't want to wade through a man page (or if a man page doesn't exist).

usermod as non-root user

Posted Dec 11, 2008 3:45 UTC (Thu) by wtogami (subscriber, #32325) [Link]

OK, then why would it be important to allow?

Presumably if the goal is only to learn how to use it, you could read the man page instead, which by certification requirements must be documented and complete or it is a bug that should be filed and fixed.

usermod as non-root user

Posted Dec 11, 2008 6:42 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

it could also be argued that running the command as a non-root user (especially with no parameters) is not really an attempt to change anything and so doesn't need to be audited.

_many_ *nix tools can be used by both privileged and non-privileged users. the non-privileged users can do the read functionality of the command, but write commands will fail.

usermod as non-root user

Posted Dec 11, 2008 13:13 UTC (Thu) by epa (subscriber, #39769) [Link]

In order to satisfy the religious edicts from CAPP, the tool could be split into usermod-real, which is the real usermod program, and usermod, which is just a shell script wrapper. The script would understand --help and --version but not much else, and would not invoke usermod-real unless running as root. That would comply with the letter and spirit of the law while not breaking the existing interface.

usermod as non-root user

Posted Dec 11, 2008 15:59 UTC (Thu) by felixfix (subscriber, #242) [Link]

If you will pardon a socio-politico comment :-) this is a common thing. Ban the tool when the tool itself is harmless, rather than the subset of its actions which are the real evil. I am especially familiar with this since I live in California and like to shoot guns, but it applies to all manner of things. It is a quite common human failing. I sometimes wonder of all the OSHA labels we get in the USA (do not step on the top steps or the backside of a ladder, do not use electrical devices in the bath) are a misguided attempt to get around that, but that's about when I decide that politicians are evil and my brain switches to a less annoying topic.

It's easier to ban dangerous products than ignorant people

Posted Dec 11, 2008 19:57 UTC (Thu) by pr1268 (subscriber, #24648) [Link]

Ban the tool when the tool itself is harmless, rather than the subset of its actions which are the real evil.

It's always easier (and more politically "correct") to ban dangerous products/tools rather than ignorant and/or unintelligent people. Notice that I don't mention evil/malicious people, as we (supposedly) have a law enforcement and criminal justice infrastructure to deal with them.

While there's some cynicism in my comment, I generally agree with you—There's a lot of regulatory compliance (e.g., the OSHA labels) forced upon consumer products—some might argue too much—because the consumer public simply has too much to think about at any given moment to fully understand the consequences of (mis-)using things. Like a simple usermod(8) shell command.

usermod as non-root user

Posted Dec 11, 2008 16:24 UTC (Thu) by zuki (subscriber, #41808) [Link]

A more useful scenario: rpm.

Running rpm -i as a normal user checks the dependencies and then either bails out or fails because it cannot lock the database. So when installing an rpm, you can download it, test for deps, download them, test, ..., and then do sudo rpm -i ... when ready.

Removing this rpm functionality would be a much bigger PITA.

usermod as non-root user

Posted Dec 11, 2008 17:37 UTC (Thu) by wtogami (subscriber, #32325) [Link]

I do agree that this in particular would be stupid. Did anyone suggest that this happen? It didn't at this point.

usermod as non-root user

Posted Dec 12, 2008 9:30 UTC (Fri) by zuki (subscriber, #41808) [Link]

Yeah, no one did yet. But the principle is the same - an unprivileged user calls a binary that can modify the system in a very important way.

usermod as non-root user

Posted Dec 11, 2008 18:10 UTC (Thu) by iabervon (subscriber, #722) [Link]

I often want to run important system-administration operations without the capabilities needed to affect anything in order to verify that my command line is correct before getting the capabilities.

Say you're trying to add yourself to a group for managing a new piece of software. How do you make sure you don't remove yourself from "wheel" accidentally, leaving yourself unable to apply critical security patches in a timely fashion? In order to be safe, you should be able to run the command in a "pretend" mode that will report the actions it would take without actually taking them (it doesn't seem to have it, so the rest of this is kind of theoretical). But if you're worried about making a mistake in running the command, you should be worried about making a mistake invoking "pretend" mode; to be safe, you should run it without the capabilities to cause actual changes, verify that the effects are what you want, and then acquire the capabilities to do it for real and run the same command.

As a policy, prohibiting attempting operations without appropriate permissions just increases the chance of security breaches due to administrator error.

Fedora and CAPP

Posted Dec 11, 2008 20:15 UTC (Thu) by jspaleta (subscriber, #50639) [Link]

I think CAPP is definitely is an ill fitting for typical home users desktop or laptop applications. Is it for corporate? I don't know.

I feel this is the sort of thing that needs to be done modularly.
LSB compliance is provided modularly, we don't require default desktop installation to be LSB compliant. But a Fedora install can be made compliant via the installation of a package.

The interesting question isn't whether CAPP is valuable or not. The value of CAPP compliance, just like LSB compliance is not an intrinsic quality. The value of these things are situational, and are based on the policy needs you find yourself working in. Either it will matter to you or it will not.

The interesting question is, if its valuable to some subset of users and contributors, can it be implemented in a modular way. If Fedora CAPP compliance, even option compliance, helps get a linux development system into the door by lowering the red tape for a sysadmin...it has enough value to be worthwhile to be a Fedora 'feature'. It's just a question of how to implement that compliance so that it can co-exist with other Fedora usage scenarios.

-jef

Fedora and CAPP

Posted Dec 15, 2008 23:30 UTC (Mon) by Tet (subscriber, #5433) [Link]

I feel this is the sort of thing that needs to be done modularly. LSB compliance is provided modularly, we don't require default desktop installation to be LSB compliant. But a Fedora install can be made compliant via the installation of a package.

Agreed 100%. So why not implement the ban on running these apps with SELinux rather than with permissions? Any LSPP/CAPP compliant machine will be running SELinux anyway, and that way, there could be an selinux-policy-capp package for those that need it, and those that don't can do without.