Security
Where are the non-root X servers?
One of the heralded features that was supposed to come with moving the graphics modesetting code into the kernel (i.e. kernel modesetting or KMS) was that it would—finally—allow systems to rid themselves of an enormous body of code running as root: the X server. KMS has made its way into distributions now, but for the most part there has been no switch to running the X server as a non-privileged user. Progress is being made, but there is another missing piece, at least for multi-user systems: some way for processes to enforce exclusive access to files they want to open.
One need only look at the recent kernel hole that was exposed by root-privileged X servers for a good reason to want an unprivileged X. It is a complicated chunk of code that is exposed to all manner of attacks, both local and, potentially, from across the network. It has been the source of vulnerabilities in the past and almost certainly will be again in the future. Reducing its privileges and possibly running it as a separate user will make any attacks against it less potent or completely ineffective—the recent exploit would have been stopped cold for example.
Prior to KMS, the X server had to do all manner of poking at the hardware to get its job done, and that required root privileges. Once that code moved into the kernel, the X server just needed to be able to access the devices provided. The graphics device driver enforces exclusive access so that other processes on the same machine cannot intercept—or interfere with—graphics commands, but there is another set of devices, /dev/input/*, that is more problematic.
In current systems, where X runs as root, it owns the files in /dev/input and the permissions only allow root to access them. If X were to run as either the logged-in user or some other separate user, overly restrictive permissions could not be used. For multi-user systems, regular users could end up with a "dangling" reference—in the form of an open file descriptor—to an input device. Once another user started X, that reference could be used for keystroke logging.
One possible solution would be to add a revoke() system call to Linux. That call would disconnect all processes from a file and allow the caller to have exclusive access. Unfortunately, no one has found an acceptable way to add revoke() capabilities to the kernel. There have been several attempts over the years (we most recently looked at one in 2007), but it is a hard problem to solve, mostly due to things like mmap()-ed files and the private copy-on-write mappings that are generated by fork().
With a working revoke(), the X server could just ensure that it is the only process that has access to the input stream. An alternative would be to have the X server run as a system user that lives in a specific group with access to the input devices, but that has flaws of its own. An exploit against the server would potentially give an attacker a means to access all users that are logged into X sessions, so a malicious local user or some remote exploit of a vulnerable X program might be able to affect all users of the system.
Keystroke logging can obviously lead to root compromise if someone types in the root password, but there are other things that users type that they don't want exposed, of course. Passwords for other systems (e.g. ssh, web applications) and all kinds of sensitive information (e.g. financial data for Gnucash or Kmoney) are input into X sessions. While it would be nice to get away from running X as root, the benefit needs to outweigh the cost—easy keystroke logging does not pass that bar.
The Moblin mobile distribution pioneered "non-root-X" and its descendant MeeGo has continued down that path, but neither of those distributions allows for multiple users. If there are no other users that could get access to the input devices, it is fairly straightforward to run the X server as the logged-in user, which is what Moblin/MeeGo do.
Ubuntu has been looking at the problem as well. There is a blueprint for the feature that is targeted for Ubuntu 10.10, but with a "Low" priority and it has not made an appearance in the recently released Beta. Unlike MeeGo, Ubuntu and other distributions will need to deal with multi-user use case, which seems to be the sticking point.
Fedora also recently discussed a non-root X server, after Mike McGrath asked about it on fedora-devel. That led to Matthew Garrett's security quote-of-the-week pointing out the problem with input devices and no revoke(). While some thought that was a good argument for PackageKit's ability to perform root-privileged actions without a password being typed in, Gregory Maxwell was quick to point out the flaw in that thinking:
So, at least for multi-user systems, we are still a ways out from seeing X servers running as a non-root user. The hardware access issues have been resolved—for those graphics cards that have KMS drivers—but there are still underlying plumbing issues that haven't been. For older hardware without KMS drivers, or those with proprietary-only drivers, X is always going to have to run as root.
It would be nice to limit the damage an exploit can do to only the user that got exploited, rather than the entire system or all logged-in X users. But that will require revoke() which doesn't seem to be in the pipeline. Conceptually, revoke() is a completely reasonable addition to the kernel, and it really isn't clear why we don't have it yet. It is certainly something that the security community could be working on to remove it as a barrier to a more secure X server.
Starting out by running X as a system user with various udev permission-switching rules and some kind of arbiter like ConsoleKit as Ubuntu is attempting might be the right approach. It definitely seems like Ubuntu has made the most visible progress toward the goal. Other distributions may be taking a wait-and-see approach in the interim.
Brief items
Security quotes of the week
MWR Labs: Assessing the Tux Strength
The MWR Labs group at MWR Info Security is running a series of articles comparing Linux distributions from a security point of view. Part 1: user space memory protection looks at protection against memory corruption attacks, while Part 2 - into the kernel examines kernel security settings. "The notable exceptions in the results are Fedora and Ubuntu. Both distributions do not allow the ability to write code to a certain memory region and then execute it. This can be observed from the results of the first five tests. Fedora goes one step further and also prevents the bss, data and heap sections from being marked as executable using the 'mprotect' system call. It should be noted that there would still be numerous other memory regions where an attacker could upload their code and then use the 'mprotect' function to mark it as executable."
New vulnerabilities
barnowl: denial of service
| Package(s): | barnowl | CVE #(s): | CVE-2010-2725 | ||||
| Created: | September 3, 2010 | Updated: | September 8, 2010 | ||||
| Description: | From the Debian advisory:
It has been discovered that in barnowl, a curses-based instant-messaging client, the return codes of calls to the ZPending and ZReceiveNotice functions in libzephyr were not checked, allowing attackers to cause a denial of service (crash of the application), and possibly execute arbitrary code. | ||||||
| Alerts: |
| ||||||
freetype: denial of service
| Package(s): | freetype | CVE #(s): | CVE-2010-3053 | ||||||||||||||||||||||||
| Created: | September 8, 2010 | Updated: | January 20, 2011 | ||||||||||||||||||||||||
| Description: | The freetype library can be forced to crash via a maliciously-crafted BDF font file. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2010-3110 | ||||||||
| Created: | September 8, 2010 | Updated: | September 8, 2010 | ||||||||
| Description: | The ioctl() implementation for Novell's "novfs" /proc interface is missing several bounds checks, enabling unprivileged local users to crash the kernel or possibly execute arbitrary code in kernel mode. | ||||||||||
| Alerts: |
| ||||||||||
Mozilla products: multiple vulnerabilities
| Package(s): | firefox seamonkey thunderbird xulrunner | CVE #(s): | CVE-2010-2760 CVE-2010-2762 CVE-2010-2764 CVE-2010-2765 CVE-2010-2766 CVE-2010-2767 CVE-2010-2768 CVE-2010-2769 CVE-2010-3166 CVE-2010-3167 CVE-2010-3168 CVE-2010-3169 CVE-2010-2763 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 8, 2010 | Updated: | June 27, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Firefox 3.6.9, firefox 3.5.12, and SeaMonkey 2.0.7 have been released; they fix another long list of security issues. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mysql: multiple vulnerabilities
| Package(s): | mysql-server | CVE #(s): | |||||
| Created: | September 6, 2010 | Updated: | September 8, 2010 | ||||
| Description: | From the Pardus advisory:
1) An error within the handling of DDL statements after having changed the "innodb_file_per_table" or "innodb_file_format" configuration parameters can be exploited to crash the server. 2) An error when handling joins involving a unique "SET" column can be exploited to crash the server. 3) An error when handling NULL arguments passed to "IN()" or "CASE" operations can be exploited to crash the server. 4) An error when processing certain malformed arguments passed to the "BINLOG" statement can be exploited to crash the server. 5) An error when processing "TEMPORARY" InnoDB tables featuring nullable columns can be exploited to crash the server. 6) An error when performing alternating reads from two indexes on tables using the "HANDLER" interface can be exploited to crash the server. 7) An error when handling "EXPLAIN" statements on certain queries can be exploited to crash the server. 8) An error when handling "LOAD DATA INFILE" statements can lead to the return of an "OK" packet although errors have been encountered. | ||||||
| Alerts: |
| ||||||
quagga: denial of service
| Package(s): | quagga | CVE #(s): | CVE-2010-2948 CVE-2010-2949 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 7, 2010 | Updated: | December 8, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
When processing a crafted Route Refresh message received from a configured, authenticated BGP neighbor, Quagga may crash, leading to a denial of service. (CVE-2010-2948) When processing certain crafted AS paths, Quagga would crash with a NULL pointer dereference, leading to a denial of service. In some configurations, such crafted AS paths could be relayed by intermediate BGP routers. (CVE-2010-2949) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
sblim-sfcb: arbitrary code execution
| Package(s): | sblim-sfcb | CVE #(s): | CVE-2010-1937 CVE-2010-2054 | ||||||||
| Created: | September 6, 2010 | Updated: | September 9, 2010 | ||||||||
| Description: | From the Red Hat bugzilla:
Heap-based buffer overflow in httpAdapter.c in httpAdapter in SBLIM SFCB before 1.3.8 might allow remote attackers to execute arbitrary code via a Content-Length HTTP header that specifies a value too small for the amount of POST data, aka bug #3001896. (CVE-2010-1937) Integer overflow in httpAdapter.c in httpAdapter in SBLIM SFCB 1.3.4 through 1.3.7, when the configuration sets httpMaxContentLength to a zero value, allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a large integer in the Content-Length HTTP header, aka bug #3001915. NOTE: some of these details are obtained from third party information. (CVE-2010-2054) | ||||||||||
| Alerts: |
| ||||||||||
smbind: sql injection
| Package(s): | smbind | CVE #(s): | |||||
| Created: | September 6, 2010 | Updated: | September 8, 2010 | ||||
| Description: | From the Debian advisory:
It was discovered that smbind, a PHP-based tool for managing DNS zones for BIND, does not properly validating input. An unauthenticated remote attacker could execute arbitrary SQL commands or gain access to the admin account. | ||||||
| Alerts: |
| ||||||
sssd: authentication bypass
| Package(s): | sssd | CVE #(s): | CVE-2010-2940 | ||||||||
| Created: | September 3, 2010 | Updated: | January 24, 2011 | ||||||||
| Description: | From the CVE entry:
The auth_send function in providers/ldap/ldap_auth.c in System Security Services Daemon (SSSD) 1.3.0, when LDAP authentication and anonymous bind are enabled, allows remote attackers to bypass the authentication requirements of pam_authenticate via an empty password. | ||||||||||
| Alerts: |
| ||||||||||
sudo: privilege escalation
| Package(s): | sudo | CVE #(s): | CVE-2010-2956 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 7, 2010 | Updated: | October 27, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Gentoo advisory:
Markus Wuethrich of Swiss Post reported that sudo fails to restrict access when using Runas groups and the group (-g) command line option. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
wireshark: denial of service
| Package(s): | wireshark | CVE #(s): | CVE-2010-2992 CVE-2010-2993 | ||||||||||||||||||||||||||||||||
| Created: | September 3, 2010 | Updated: | April 19, 2011 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
packet-gsm_a_rr.c in the GSM A RR dissector in Wireshark 1.2.2 through 1.2.9 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference. (CVE-2010-2992) The IPMI dissector in Wireshark 1.2.0 through 1.2.9 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. (CVE-2010-2993) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>