| |||||||||||||
Cook: seccomp filter now in UbuntuCook: seccomp filter now in UbuntuPosted Mar 26, 2012 17:04 UTC (Mon) by luto (subscriber, #39314)Parent article: Cook: seccomp filter now in Ubuntu
<shameless_plug>
There's another feature in there as well: PR_SET_NO_NEW_PRIVS. It's a requirement for enabling seccomp mode 2, but it can be useful on its own.
For example, pam_nnp (temporarily at http://web.mit.edu/luto/www/linux/nnp/) will let you prevent certain users from using setuid programs. Comments welcome. I'll try to get this into upstream pam once the feature hits mainline.
(Log in to post comments)
Cook: seccomp filter now in Ubuntu Posted Mar 26, 2012 17:19 UTC (Mon) by kees (subscriber, #27264) [Link]
No shame at all! nnp is great! :)
Cook: seccomp filter now in Ubuntu Posted Mar 26, 2012 21:18 UTC (Mon) by kees (subscriber, #27264) [Link]
Here's another quick example of using no-new-privs:
http://www.outflux.net/blog/archives/2012/03/26/keeping-y...
Cook: seccomp filter now in Ubuntu Posted Mar 26, 2012 23:51 UTC (Mon) by slashdot (guest, #22014) [Link]
Isn't removing the seccomp filter on setuid execution a better solution than requiring nnp?
Of course, applications could elect to use nnp anyway, but why force it?
Cook: seccomp filter now in Ubuntu Posted Mar 26, 2012 23:56 UTC (Mon) by luto (subscriber, #39314) [Link]
Because then a task could break out of seccomp mode 2 by running a setuid program. That would IMO rather defeat the purpose.
I suspect that the average system has any number of setuid binaries installed that allow you to run arbitrary code as yourself, since that wouldn't normally be considered a security problem. As a trivial example:
$ sudo -u luto -s
does not prompt for a password.
Cook: seccomp filter now in Ubuntu Posted Mar 27, 2012 0:14 UTC (Tue) by slashdot (guest, #22014) [Link]
Well, one could indeed use nnp to avoid that, or conversely they could prepare a chroot or FS namespace with no or select setuid programs.
But maybe it's good to require it, to prevent people accidentally introducing security holes because they don't know they either need to use nnp, restrict execve or use a filesystem namespace.
Cook: seccomp filter now in Ubuntu Posted Mar 27, 2012 0:18 UTC (Tue) by luto (subscriber, #39314) [Link]
Unprivileged users can't chroot (yet [1]) or use FS namespaces. And correctly detecting when execve(2) will run a setuid program is probably impossible except in very limited circumstances.
[1] https://git.kernel.org/?p=linux/kernel/git/luto/linux.git;... [but I doubt that patch will be accepted in its current form]
Cook: seccomp filter now in Ubuntu Posted Mar 27, 2012 0:33 UTC (Tue) by slashdot (guest, #22014) [Link]
Unprivileged users have to use nnp anyway.
Privileged users, in theory, could instead want to setup a FS namespace with some setuid programs of their choice.
However, this is probably useless in practice, so indeed it may be better to avoid the risk of an accidental security hole and force nnp on.
|
|||||||||||||