LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

suid-binary vulnerabilities

suid-binary vulnerabilities

Posted Oct 28, 2010 22:04 UTC (Thu) by kees (subscriber, #27264)
In reply to: suid-binary vulnerabilities by ccurtis
Parent article: Two glibc vulnerabilities

This just slightly reduces the attack surface, but doesn't fundamentally solve the problem (vulnerabilities like this in the loader are extremely dangerous). There will still be things with CAP_SETUID. Here's Tavis's $ORIGIN attack, unchanged except modified to target /bin/su instead of /bin/ping, and with the proposed change made to /bin/su (drop setuid, gain CAP_SETUID):

[kees@fedora-13-i686 ~]$ ls -la /bin/su
-rwxr-xr-x. 1 root root 29292 Feb 12 2010 /bin/su
[kees@fedora-13-i686 ~]$ getcap /bin/su
/bin/su = cap_setuid+ep
[kees@fedora-13-i686 ~]$ ./glibc-ld_audit-origin.sh
[root@fedora-13-i686 ~]# id
uid=0(root) gid=500(kees) groups=0(root),500(kees) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

(Log in to post comments)

suid-binary vulnerabilities

Posted Oct 29, 2010 10:27 UTC (Fri) by marcH (subscriber, #57642) [Link]

Please be fair and compare CAP_NET_RAW with CAP_SETUID..

suid-binary vulnerabilities

Posted Oct 29, 2010 11:49 UTC (Fri) by kees (subscriber, #27264) [Link]

Why? If this is about whole-system security, there will still be binaries with CAP_SETUID (su, sudo, newrole, seunshare, etc). It absolutely reduces the attack surface in general, but linker vulnerabilities will remain a serious problem. Removing the setuid bit is a great idea for reducing the impact of bugs in the setuid program itself, though.

suid-binary vulnerabilities

Posted Oct 29, 2010 11:52 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]

"Removing the setuid bit is a great idea for reducing the impact of bugs in the setuid program itself, though"

Precisely, the goal.

suid-binary vulnerabilities

Posted Oct 29, 2010 13:41 UTC (Fri) by marcH (subscriber, #57642) [Link]

> Why? If this is about whole-system security, there will still be binaries with CAP_SETUID (su, sudo, newrole, seunshare, etc).

"Let's not bother making the windows more secure, because the front door sucks anyway".

Actually, let's bother. Because it's progress:
- progress towards the entire perimeter being finally secured.
- some malware knows only about windows. Being hacked once a month is progress compared to twice.

> It absolutely reduces the attack surface in general,...

Agreed!

suid-binary vulnerabilities

Posted Oct 29, 2010 15:14 UTC (Fri) by kees (subscriber, #27264) [Link]

Right, I don't meant to say it shouldn't be done. Getting rid of the setuid bit is a great goal. I was just trying to point out that it does not solve problems like those recently found in glibc. It _does_, of course, kill a whole separate set of problems, and I love that. :) I just don't want people to think dropping setuid bits is a magic bullet for solving all local privilege escalations.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds