Security

Filesystem capabilities in Fedora 10

Linux capabilities have been around for a long time, but they are finally starting to get to the point where they can actually be used. There are still no mainstream distributions that make use of them, but Fedora 10 has all of the requisite functionality available, as Ulrich Drepper recently pointed out in a blog posting. There are now systems available for administrators to begin to try out capabilities to see what advantages they offer.

Note that this article concerns Linux/POSIX capabilities and not the other security approach of the same name.

The canonical test program for capabilities seems to be ping; that is what Drepper used, as did Chris Friedhoff in his capabilities documentation. Currently in Fedora 10, ping is a setuid-root program as it needs privileges that normal users do not have. Removing the setuid bit with

    chmod u-s /bin/ping 

results in normal users getting the following error:

    ping: icmp open socket: Operation not permitted

But, ping can be left without the setuid bit, by proper application of capabilities.

By using the setcap command, a root user can give the required capabilities to the ping program. These get stored as extended attributes (xattrs) in the filesystem and queried by the kernel when filesystem capabilities are enabled. It should be noted that not all filesystems support xattrs, but for those that do, setcap will add the "capability" attribute with a 20-byte value representing the capability information.

The capability required by ping is CAP_NET_RAW, so an administrator who wants to have a non-setuid-root ping must do:

    setcap cap_net_raw=ep /bin/ping

This sets the CAP_NET_RAW bit in both the "effective" (e) and "permitted" (p) capability sets. These two sets, along with the "inheritable" set, govern the capabilities that a process has or can set. Serge Hallyn's developerWorks article is a good reference for how those sets interact.

But, how does one find out what capabilities a particular program needs? In some ways similar to the audit2allow method sometimes used to determine SELinux policies, one can look for permission denied errors as Friedhoff describes:

    $ strace ping localhost 2>&1 | grep EPERM
    socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)

In this case, ping tried to open a raw socket which requires CAP_NET_RAW. Hallyn's article also has code for a capable_probe kernel module that can be used to see what capabilities are requested. As with the SELinux method, one must be careful that the capabilities requested are actually reasonable for the program's task before granting them.

Now that capabilities are available, folks have started to wonder when things like ping will have their setuid bit removed in standard distributions. Panu Matilainen asked on fedora-devel: "Are we ready to start considering moving away from SUID bits to capabilities, in Fedora 11 maybe?" The answer in the resulting thread seems to be "no", mostly because there is concern about folks building their own kernel without support for capabilities. It is a bit of a weak argument because Fedora depends on any number of kernel options. Drepper is characteristically blunt: "That's nonsense since there are many other options we rely on and which can be compiled out."

Other distributions may handle things differently, though, so we may see Linux-capability-based systems elsewhere. For now, administrators can turn off setuid and instead set capabilities on programs in Fedora 10, "unfortunately you have to do it every time the program is updated again", Drepper notes. Capabilities were originally added to Linux in the 2.1 kernel series, around ten years ago, so it is nice to see them finally getting to the point of usability for regular users and administrators. It will be interesting to see where things go from here.

Comments (15 posted)

25C3: MD5 collisions crack CA certificate (heise online)

Researchers presenting at the 25th Chaos Communication Congress (25C3) have used MD5 collisions to generate bogus, but trusted, SSL certificates as reported by heise online. This would allow nefarious web sites to generate a certificate purporting to be from any other site—greatly increasing the reach of phishing and other scams. "Using a weakness in the MD5 cryptographic hash function, which allows different messages to generate the same MD5 hash – known as an MD5 'collision', the international team of Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molinar, Dag Arne Osvik and Benne De Weger, have used one attack scenario to create a certificate which will be trusted by all browsers because it appears to be signed by one of the root CAs that browsers trust by default. The certificate can also be used to sign other certificates, which could allow attackers to carry out 'practically undetectable phishing attacks'."

Comments (47 posted)

OpenSSL: certificate verification flaw

Package(s):	OpenSSL	CVE #(s):	CVE-2008-5077
Created:	January 7, 2009	Updated:	July 27, 2011
Description:	From the Red Hat advisory: the Google security team discovered a flaw in the way OpenSSL checked the verification of certificates. An attacker in control of a malicious server, or able to effect a "man in the middle" attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client and bypass validation.
Alerts:	SUSE SUSE-SU-2011:0847-1 compat-openssl097g 2011-07-27 openSUSE openSUSE-SU-2011:0845-1 compat-openssl097g 2011-07-27 Gentoo 200904-05 ntp 2009-04-05 Mandriva MDVSA-2009:271 libnasl 2009-10-12 Mandriva MDVSA-2009:037 bind 2008-02-16 Gentoo 200902-02 openssl 2009-02-12 Slackware SSA:2009-014-01 openssl 2009-01-15 Fedora FEDORA-2009-0419 tqsllib 2009-01-14 Fedora FEDORA-2009-0543 tqsllib 2009-01-14 SuSE SUSE-SA:2009:006 openssl 2009-01-23 rPath rPSA-2009-0008-1 openssl 2009-01-20 Slackware SSA:2009-014-03 ntp 2009-01-15 CentOS CESA-2009:0004 OpenSSL 2009-01-07 Debian DSA-1701-1 openssl 2009-01-12 Fedora FEDORA-2009-0331 openssl 2009-01-08 Red Hat RHSA-2009:0004-01 OpenSSL 2009-01-07 Fedora FEDORA-2009-0544 ntp 2009-01-14 Fedora FEDORA-2009-0547 ntp 2009-01-14 Slackware SSA:2009-014-02 bind 2009-01-15 Fedora FEDORA-2009-0325 openssl 2009-01-08 Ubuntu USN-704-1 openssl 2009-01-07

Comments (none posted)

p7zip: unknown vulnerability

Package(s):	p7zip	CVE #(s):
Created:	January 7, 2009	Updated:	January 7, 2009
Description:	The p7zip file archiver suffers from "archives formats issues." Such information as is available can be found in this bugzilla entry.
Alerts:	Fedora FEDORA-2008-11868 p7zip 2008-12-30 Fedora FEDORA-2008-11891 p7zip 2008-12-30 Fedora FEDORA-2008-11843 p7zip 2008-12-30

Comments (none posted)

php-xajax: cross-site scripting

Package(s):	php-xajax	CVE #(s):	CVE-2007-2739
Created:	December 29, 2008	Updated:	January 7, 2009
Description:	From the Debian advisory: It was discovered that php-xajax, a library to develop Ajax applications, did not sufficiently sanitise URLs, which allows attackers to perform cross-site scripting attacks by using malicious URLs.
Alerts:	Debian DSA-1692-1 php-xajax 2008-12-27

Comments (none posted)

samba: privilege escalation

Package(s):	samba	CVE #(s):	CVE-2009-0022
Created:	January 6, 2009	Updated:	October 5, 2009
Description:	From the Ubuntu advisory: Gunter Höckel discovered that Samba with registry shares enabled did not properly validate share names. An authenticated user could gain access to the root filesystem by using an older version of smbclient and specifying an empty string as a share name. This is only an issue if registry shares are enabled on the server by setting "registry shares = yes", "include = registry", or "config backend = registry", which is not the default.
Alerts:	Fedora FEDORA-2009-10172 samba 2009-10-03 Mandriva MDVSA-2009:042 samba 2009-02-18 Fedora FEDORA-2009-0160 samba 2009-01-07 SuSE SUSE-SR:2009:001 ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera 2009-01-12 Fedora FEDORA-2009-0268 samba 2009-01-07 Slackware SSA:2009-005-01 samba 2009-01-06 Ubuntu USN-702-1 samba 2009-01-05

Comments (none posted)

xen: DOS and symlink vulnerabilities

Package(s):	xen	CVE #(s):	CVE-2008-4405 CVE-2008-4993
Created:	January 7, 2009	Updated:	September 15, 2009
Description:	The Xen package, as shipped by Red Hat (at least), contains a pair of vulnerabilities. Unprivileged DomU domains are able to overwrite "xenstore values," enabling the killing of arbitrary processes. And the qemu-dm.debug script has a symbolic link vulnerability exploitable by a local attacker.
Alerts:	SuSE SUSE-SR:2009:015 OpenOffice_org, OpenOffice_org-math, dnsmasq, gnutls, ia32el, ib-bonding-kmp-rt/kernel-rt, libxml, opera, perl-IO-Socket-SSL, xen 2009-09-15 Mandriva MDVSA-2009:016 xen 2009-01-16 CentOS CESA-2009:0003 xen 2009-01-08 Red Hat RHSA-2009:0003-01 xen 2009-01-07

Comments (none posted)

xterm: arbitrary code execution

Package(s):	xterm	CVE #(s):	CVE-2008-2383 CVE-2008-7236
Created:	January 5, 2009	Updated:	March 11, 2009
Description:	From the Debian advisory: Paul Szabo discovered that xterm, a terminal emulator for the X Window System, places arbitrary characters into the input buffer when displaying certain crafted escape sequences.
Alerts:	Slackware SSA:2009-069-03 xterm 2009-03-11 Gentoo 200902-04 xterm 2009-02-12 Debian DSA-1694-1 xterm 2009-01-02 Fedora FEDORA-2009-0059 xterm 2009-01-07 Fedora FEDORA-2009-0154 xterm 2009-01-07 Fedora FEDORA-2009-0091 xterm 2009-01-07 CentOS CESA-2009:0018 xterm 2009-01-07 Mandriva MDVSA-2009:005 xterm 2009-01-11 Red Hat RHSA-2009:0019-01 hanterm-xf 2009-01-07 Red Hat RHSA-2009:0018-01 xterm 2009-01-07 SuSE SUSE-SR:2009:003 boinc-client, xrdp, phpMyAdmin, libnasl, moodle, net-snmp, audiofile, xterm, amarok, libpng, sudo, avahi 2009-02-02 SuSE SUSE-SR:2009:002 imlib2, valgrind, kvm, cups, lynx, xterm 2009-01-19 Ubuntu USN-703-1 xterm 2009-01-06 Debian DSA-1694-2 xterm 2009-01-06

Comments (none posted)