By Jake Edge
May 23, 2012
Partly in response to Linus Torvalds's (in)famous Google+
rant about desktop security—openSUSE in particular—Andreas
Jaeger and others have started gathering use cases for the administration
of Linux systems. The target is to try to find a balance between security
and convenience for openSUSE users. Part of the difficulty is that Linux
distributions are installed on a variety of systems with very different
security needs, which makes it difficult to choose any particular default
security scheme.
A single-user desktop or laptop has very different security needs from
those of a shared desktop or server. Torvalds's complaint was specifically
about the root password being needed to add a printer to his daughter's
laptop, but he was also unhappy with needing privileges to change the
time zone and wireless network. For a system where the only user is also
the administrator—at least a semi-privileged administrator—it
makes sense to allow those kinds of changes without the root password. But
on other systems, like shared machines or servers, it almost certainly
doesn't make sense for random users to have those powers.
That's where the balancing act comes in. If a distribution is meant to be
installed for several different scenarios, there is no One True Way to set the
privileges of users. Even for single-user systems there are differences.
Torvalds undoubtedly administers his own laptop differently than he wants
his daughter's handled. For the former, he may want to allow package
installation using his own password, the root password, or possibly no
password at all (though one would guess that's not likely). But, for his
daughter's system he wants to hold the root password himself, while
allowing a limited number of privileged operations to be done by her.
While Torvalds is a high-profile user, his complaints are likely similar to
those
of others.
In order to help determine what the right security configuration is for
openSUSE, Jaeger, Marcus Meissner, and Ludwig Nussel put together a list of use
cases that describe tasks that users want to do along with a short
security evaluation of each. Things like setting the system time, accessing the
network, changing firewall settings, adding printers, package installation,
and so on, are listed.
Jaeger also posted a "call
for action" to the opensuse-factory mailing list, asking for feedback and
new use case suggestions.
Much of the resulting conversation centered around the "roles and
profiles" that were also described on the web page. There is a tension
between convenience for single-user machines and those with more
complicated situations, thus higher security needs. But, even among those
who would like to see less
privilege required for some operations on single-user machines, there are
differences of opinion on which operations—and what privilege to
require. For example, Marguerite Su wants
to be able to install software without the root password on a laptop, but
others including Bryen M Yunashko are not
so sure that's what they want.
There are also different classes of package installation to consider.
Installing an update to a package from a "known good" repository is very
different from installing a new package, downgrading a package to an
earlier version, or adding a repository. The credentials required for each
might be different depending on the scenario.
That part of the thread highlights part of the difficulty in finding the
right default settings. The distribution will need to have some way to
specify which of the profiles (e.g. single-user, administered single-user,
multi-user, server, etc.) should govern, say at installation time, but
will also need some way for the overall profile to change, while also
allowing individual users to tweak the settings based on their needs. It
is a more complex problem than it might seem at first.
Suggestions in the thread range from Carlos E. R.'s installation-time dialogs to determine the
right profile to Su's idea of PolKit packages for different profiles and
use cases to Hans Witvliet's more granular
approach with multiple types of administrative roles that could be
assigned to a user. Any or all of those could make up some part of a
solution, but in a response to Witvliet, Jaeger focused on the question of defaults:
You could add all those roles but I fear it makes administration more
difficult. How can we setup in an easy way the most use cases? We still might
need for the last 10% esoteric options a config file to change the defaults
but what is the normal way?
Finding workable defaults that will cover the majority of cases is clearly
needed. Finding a set that will avoid rants like Torvalds's, while still
giving a reasonable level of security to openSUSE users, is paramount. But
there also needs to be a way for those with different needs to adjust the
policies appropriately. Pulling all of that together in a way that is easy
to understand, use, and tweak, will be an even harder problem. But it's a
problem that needs solving and not just for openSUSE;
there are opportunities
for cross-distribution collaboration here as well.
Comments (19 posted)
Brief items
No matter what anyone tells you, you never need to apologize or feel guilty
for using "setenforce 0"
--
David
Miller
As any computer user already knows, passwords are a usability disaster: you
are basically told to "
pick something you can’t remember, then don’t write
it down", which is worse than impossible if you must also use a different
password for every account. Moreover, security-wise, passwords can be
shoulder-surfed, keylogged, eavesdropped, brute-forced and phished. Notable
industry insiders have long
predicted their demise. Over the past couple of
decades, dozens of alternative schemes have been proposed. Yet here we are
in 2012, still using more and more password-protected accounts every
year. Why? Can’t we do any better? Don’t the suggested replacements offer
any improvements?
--
Frank
Stajano researches password replacement schemes
After applying a patch to the LUFA USB keyboard demo, I had my handy USB-AVR-as-Keyboard stick ready to crash Xorg:
[...]
- .UnicodeString = L"LUFA Keyboard Demo"
+ .UnicodeString = L"Keyboard (%n%n%n%n)"
In fact, it was so [successful] that after I got the code right and programmed it, Xorg immediately crashed on my development machine. :)
--
Kees Cook
Just block the whole site, Mike.
Go censor the file, Kyle.
Now spy on the mail, Dale.
And you're on your way
Do a bandwidth cap, Jack.
Takedowns in mass, Ash.
Steal the crypto key, Lee.
And watch the geeks flee.
--
Lauren
Weinstein (with apologies to Paul Simon)
Comments (1 posted)
The H
reports on a
vulnerability in sudo when it is configured for IP-based restrictions on users (typically only for centrally managed
sudoers files). "
When the developers added IPv6 support, they inadvertently made the matching routine used for IPv4 networks call the IPv6 matching routines when no IPv4 match was found. Because the IPv6 fields would be uninitialised, it was possible for the system to think it had found a match where there wasn't one. Finding a match would, in turn, mean permission would be granted for whatever command the rule was controlling, even when the system was on a different network."
Comments (none posted)
Over at the Guardian, Cory Doctorow
writes about two problems that govern the relationship between politics and technically oriented folks ("nerds" in Doctorow-speak): "nerd determinism" and "nerd fatalism". "
But, while it's true that geeks can get around this sort of thing – and other bad network policies, such as network-level censorship, or vendor locks on our tablets, phones, consoles, and computers – this isn't enough to protect us, let alone the world. It doesn't matter how good your email provider is, or how secure your messages are, if 95% of the people you correspond with use a free webmail service with a lawful interception backdoor, and if none of those people can figure out how to use crypto, then nearly all your email will be within reach of spooks and control-freaks and cops on fishing expeditions."
Comments (19 posted)
For those interested in complex exploits: the Chromium Blog
describes
how a sequence of six independent bugs was exploited to execute code
within the Chromium browser. "
Even though Chrome’s renderers execute
inside a stricter sandbox than the GPU process, there is a special class of
renderers that have IPC interfaces with elevated permissions. These
renderers are not supposed to be navigable by web content, and are used for
things like extensions and settings pages. However, Pinkie found another
bug (117417) that allowed an unprivileged renderer to trigger a navigation
to one of these privileged renderers, and used it to launch the extension
manager. So, all he had to do was jump on the extension manager’s IPC
channel before it had a chance to connect."
Comments (44 posted)
New vulnerabilities
android-tools: udev rules set insecure permissions
| Package(s): | android-tools |
CVE #(s): | |
| Created: | May 21, 2012 |
Updated: | December 4, 2012 |
| Description: |
From the Red Hat bugzilla:
udev rules file packaged with android-tools consists of rules like this:
SUBSYSTEM=="usb", ATTR{idVendor}=="0502", MODE="0666"
IOW for *any* device with the given vendor ID, its associated device nodes will be world-writable.
Despite it follows the upstream guidelines at http://developer.android.com/guide/developing/device.html, this is obviously insecure and contradicts the common practice of using ACL to grant access to the current console user via TAG+="uaccess". |
| Alerts: |
|
Comments (none posted)
backuppc: cross-site scripting
| Package(s): | backuppc |
CVE #(s): | CVE-2011-5081
|
| Created: | May 18, 2012 |
Updated: | January 7, 2013 |
| Description: |
From the Ubuntu advisory:
It was discovered that BackupPC did not properly sanitize its input when
processing RestoreFile error messages, resulting in a cross-site
scripting (XSS) vulnerability. With cross-site scripting vulnerabilities,
if a user were tricked into viewing server output during a crafted server
request, a remote attacker could exploit this to modify the contents, or
steal confidential data, within the same domain.
|
| Alerts: |
|
Comments (none posted)
chromium: multiple vulnerabilities
| Package(s): | chromium |
CVE #(s): | CVE-2011-3083
CVE-2011-3084
CVE-2011-3085
CVE-2011-3086
CVE-2011-3087
CVE-2011-3088
CVE-2011-3089
CVE-2011-3090
CVE-2011-3091
CVE-2011-3092
CVE-2011-3093
CVE-2011-3094
CVE-2011-3095
CVE-2011-3096
CVE-2011-3100
CVE-2011-3101
|
| Created: | May 21, 2012 |
Updated: | November 7, 2012 |
| Description: |
From the CVE entries:
browser/profiles/profile_impl_io_data.cc in Google Chrome before 19.0.1084.46 does not properly handle a malformed ftp URL in the SRC attribute of a VIDEO element, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted web page. (CVE-2011-3083)
Google Chrome before 19.0.1084.46 does not use a dedicated process for the loading of links found on an internal page, which might allow attackers to bypass intended sandbox restrictions via a crafted page. (CVE-2011-3084)
The Autofill feature in Google Chrome before 19.0.1084.46 does not properly restrict field values, which allows remote attackers to cause a denial of service (UI corruption) and possibly conduct spoofing attacks via vectors involving long values. (CVE-2011-3085)
Use-after-free vulnerability in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a STYLE element. (CVE-2011-3086)
Google Chrome before 19.0.1084.46 does not properly perform window navigation, which has unspecified impact and remote attack vectors. (CVE-2011-3087)
Google Chrome before 19.0.1084.46 does not properly draw hairlines, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3088)
Use-after-free vulnerability in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving tables. (CVE-2011-3089)
Race condition in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to worker processes. (CVE-2011-3090)
Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-3091)
The regex implementation in Google V8, as used in Google Chrome before 19.0.1084.46, allows remote attackers to cause a denial of service (invalid write operation) or possibly have unspecified other impact via unknown vectors. (CVE-2011-3092)
Google Chrome before 19.0.1084.46 does not properly handle glyphs, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3093)
Google Chrome before 19.0.1084.46 does not properly handle Tibetan text, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3094)
The OGG container in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an out-of-bounds write. (CVE-2011-3095)
Use-after-free vulnerability in Google Chrome before 19.0.1084.46 on Linux allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging an error in the GTK implementation of the omnibox. (CVE-2011-3096)
Google Chrome before 19.0.1084.46 does not properly draw dash paths, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3100)
Google Chrome before 19.0.1084.46 on Linux does not properly mitigate an unspecified flaw in an NVIDIA driver, which has unknown impact and attack vectors. (CVE-2011-3101) |
| Alerts: |
|
Comments (none posted)
feedparser: denial of service
| Package(s): | feedparser |
CVE #(s): | CVE-2012-2921
|
| Created: | May 23, 2012 |
Updated: | April 10, 2013 |
| Description: |
From the CVE entry:
Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document. |
| Alerts: |
|
Comments (none posted)
ikiwiki: cross-site scripting
| Package(s): | ikiwiki |
CVE #(s): | CVE-2012-0220
|
| Created: | May 17, 2012 |
Updated: | May 29, 2012 |
| Description: |
From the Debian advisory:
Raúl Benencia discovered that ikiwiki, a wiki compiler, does not
properly escape the author (and its URL) of certain metadata, such as
comments. This might be used to conduct cross-site scripting attacks. |
| Alerts: |
|
Comments (none posted)
libxml2: code execution
| Package(s): | libxml2 |
CVE #(s): | CVE-2011-3102
|
| Created: | May 22, 2012 |
Updated: | March 1, 2013 |
| Description: |
From the Ubuntu advisory:
Juri Aedla discovered that libxml2 contained an off by one error in its
XPointer functionality. If a user or application linked against libxml2
were tricked into opening a specially crafted XML file, an attacker could
cause the application to crash or possibly execute arbitrary code with the
privileges of the user invoking the program. |
| Alerts: |
|
Comments (none posted)
openoffice.org: code execution
| Package(s): | openoffice.org |
CVE #(s): | CVE-2012-1149
|
| Created: | May 17, 2012 |
Updated: | June 14, 2012 |
| Description: |
From the Debian advisory:
Tielei Wang discovered that OpenOffice.org does not allocate a large
enough memory region when processing a specially crafted JPEG object,
leading to a heap-based buffer overflow and potentially arbitrary code
execution. |
| Alerts: |
|
Comments (none posted)
perl-Config-IniFiles: insecure temporary files
| Package(s): | perl-Config-IniFiles |
CVE #(s): | CVE-2012-2451
|
| Created: | May 22, 2012 |
Updated: | August 21, 2012 |
| Description: |
From the Red Hat bugzilla:
perl-Config-IniFiles used a predictable temporary file name (${filename}-new) which makes it prone to a symlink attack. If a malicious user were to create a symlink pointing to another file writable by the user running an application that used perl-Config-IniFiles, they could overwrite the contents of that file. |
| Alerts: |
|
Comments (none posted)
pidgin-otr: code execution
| Package(s): | pidgin-otr |
CVE #(s): | CVE-2012-2369
|
| Created: | May 18, 2012 |
Updated: | July 10, 2012 |
| Description: |
From the Red Hat bugzilla entry:
Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
string security flaw. This flaw could potentially be exploited by
a remote attacker to cause arbitrary code to be executed on the user's
machine.
|
| Alerts: |
|
Comments (none posted)
rubygem-mail: arbitrary command execution
| Package(s): | rubygem-mail |
CVE #(s): | CVE-2012-2139
CVE-2012-2140
|
| Created: | May 21, 2012 |
Updated: | May 23, 2012 |
| Description: |
From the Red Hat bugzilla:
Two flaws were corrected in rubygem-mail version 2.4.4:
A file system traversal in file_delivery method.
Arbitrary command execution when using exim or sendmail from the commandline. |
| Alerts: |
|
Comments (none posted)
sympa: authorization bypass
| Package(s): | sympa |
CVE #(s): | CVE-2012-2352
|
| Created: | May 21, 2012 |
Updated: | July 12, 2012 |
| Description: |
From the Debian advisory:
Several vulnerabilities have been discovered in Sympa, a mailing list
manager, that allow to skip the scenario-based authorization
mechanisms. This vulnerability allows to display the archives
management page, and download and delete the list archives by
unauthorized users. |
| Alerts: |
|
Comments (none posted)
sudo: privilege escalation
| Package(s): | sudo |
CVE #(s): | CVE-2012-2337
|
| Created: | May 17, 2012 |
Updated: | July 17, 2012 |
| Description: |
From the Ubuntu advisory:
It was discovered that sudo incorrectly handled network masks when using Host
and Host_List. A local user who is listed in sudoers may be allowed to run
commands on unintended hosts when IPv4 network masks are used to grant access.
A local attacker could exploit this to bypass intended access restrictions. Host
and Host_List are not used in the default installation of Ubuntu. |
| Alerts: |
|
Comments (none posted)
update-manager: multiple vulnerabilities
| Package(s): | update-manager |
CVE #(s): | CVE-2012-0948
CVE-2012-0949
|
| Created: | May 18, 2012 |
Updated: | June 4, 2012 |
| Description: |
From the Ubuntu advisory:
It was discovered that Update Manager created system state archive files
with incorrect permissions when upgrading releases. A local user could
possibly use this to read repository credentials. (CVE-2012-0948)
Felix Geyer discovered that the Update Manager Apport hook incorrectly
uploaded certain system state archive files to Launchpad when reporting
bugs. This could possibly result in repository credentials being included
in public bug reports. (CVE-2012-0949)
|
| Alerts: |
|
Comments (none posted)
wireshark: denial of service
| Package(s): | wireshark |
CVE #(s): | |
| Created: | May 23, 2012 |
Updated: | May 23, 2012 |
| Description: |
From the Mandriva advisory:
It may be possible to make Wireshark hang for long or indefinite
periods by injecting a malformed packet onto the wire or by convincing
someone to read a malformed packet trace file.
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file.
Wireshark version 1.6.8 fixes these issues. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
