| |||||||||||||
suid-binary vulnerabilitiessuid-binary vulnerabilitiesPosted Oct 28, 2010 15:21 UTC (Thu) by ccurtis (guest, #49713)In reply to: suid-binary vulnerabilities by RobSeace Parent article: Two glibc vulnerabilities
Looks like Fedora 15 is going to try it.
(Log in to post comments)
suid-binary vulnerabilities Posted Oct 28, 2010 19:44 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
they are not fundamentally changing anything, they are just moving from a single suid bit to a array of individual capibilities. This still lets a user execute a program that will have more privilages than the user with whatever environment the user defines.
suid-binary vulnerabilities Posted Oct 29, 2010 11:00 UTC (Fri) by marcH (subscriber, #57642) [Link]
Still looks like a major improvement to me.
suid-binary vulnerabilities Posted Oct 28, 2010 22:04 UTC (Thu) by kees (subscriber, #27264) [Link]
This just slightly reduces the attack surface, but doesn't fundamentally solve the problem (vulnerabilities like this in the loader are extremely dangerous). There will still be things with CAP_SETUID. Here's Tavis's $ORIGIN attack, unchanged except modified to target /bin/su instead of /bin/ping, and with the proposed change made to /bin/su (drop setuid, gain CAP_SETUID):
[kees@fedora-13-i686 ~]$ ls -la /bin/su
suid-binary vulnerabilities Posted Oct 29, 2010 10:27 UTC (Fri) by marcH (subscriber, #57642) [Link]
Please be fair and compare CAP_NET_RAW with CAP_SETUID..
suid-binary vulnerabilities Posted Oct 29, 2010 11:49 UTC (Fri) by kees (subscriber, #27264) [Link]
Why? If this is about whole-system security, there will still be binaries with CAP_SETUID (su, sudo, newrole, seunshare, etc). It absolutely reduces the attack surface in general, but linker vulnerabilities will remain a serious problem. Removing the setuid bit is a great idea for reducing the impact of bugs in the setuid program itself, though.
suid-binary vulnerabilities Posted Oct 29, 2010 11:52 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]
"Removing the setuid bit is a great idea for reducing the impact of bugs in the setuid program itself, though"
Precisely, the goal.
suid-binary vulnerabilities Posted Oct 29, 2010 13:41 UTC (Fri) by marcH (subscriber, #57642) [Link]
> Why? If this is about whole-system security, there will still be binaries with CAP_SETUID (su, sudo, newrole, seunshare, etc).
"Let's not bother making the windows more secure, because the front door sucks anyway".
Actually, let's bother. Because it's progress:
> It absolutely reduces the attack surface in general,...
Agreed!
suid-binary vulnerabilities Posted Oct 29, 2010 15:14 UTC (Fri) by kees (subscriber, #27264) [Link]
Right, I don't meant to say it shouldn't be done. Getting rid of the setuid bit is a great goal. I was just trying to point out that it does not solve problems like those recently found in glibc. It _does_, of course, kill a whole separate set of problems, and I love that. :) I just don't want people to think dropping setuid bits is a magic bullet for solving all local privilege escalations.
|
|||||||||||||