User: Password:
|
|
Subscribe / Log in / New account

Security

Exploring options for the openSUSE security policy

By Jake Edge
May 23, 2012

Partly in response to Linus Torvalds's (in)famous Google+ rant about desktop security—openSUSE in particular—Andreas Jaeger and others have started gathering use cases for the administration of Linux systems. The target is to try to find a balance between security and convenience for openSUSE users. Part of the difficulty is that Linux distributions are installed on a variety of systems with very different security needs, which makes it difficult to choose any particular default security scheme.

A single-user desktop or laptop has very different security needs from those of a shared desktop or server. Torvalds's complaint was specifically about the root password being needed to add a printer to his daughter's laptop, but he was also unhappy with needing privileges to change the time zone and wireless network. For a system where the only user is also the administrator—at least a semi-privileged administrator—it makes sense to allow those kinds of changes without the root password. But on other systems, like shared machines or servers, it almost certainly doesn't make sense for random users to have those powers.

That's where the balancing act comes in. If a distribution is meant to be installed for several different scenarios, there is no One True Way to set the privileges of users. Even for single-user systems there are differences. Torvalds undoubtedly administers his own laptop differently than he wants his daughter's handled. For the former, he may want to allow package installation using his own password, the root password, or possibly no password at all (though one would guess that's not likely). But, for his daughter's system he wants to hold the root password himself, while allowing a limited number of privileged operations to be done by her. While Torvalds is a high-profile user, his complaints are likely similar to those of others.

In order to help determine what the right security configuration is for openSUSE, Jaeger, Marcus Meissner, and Ludwig Nussel put together a list of use cases that describe tasks that users want to do along with a short security evaluation of each. Things like setting the system time, accessing the network, changing firewall settings, adding printers, package installation, and so on, are listed. Jaeger also posted a "call for action" to the opensuse-factory mailing list, asking for feedback and new use case suggestions.

Much of the resulting conversation centered around the "roles and profiles" that were also described on the web page. There is a tension between convenience for single-user machines and those with more complicated situations, thus higher security needs. But, even among those who would like to see less privilege required for some operations on single-user machines, there are differences of opinion on which operations—and what privilege to require. For example, Marguerite Su wants to be able to install software without the root password on a laptop, but others including Bryen M Yunashko are not so sure that's what they want.

There are also different classes of package installation to consider. Installing an update to a package from a "known good" repository is very different from installing a new package, downgrading a package to an earlier version, or adding a repository. The credentials required for each might be different depending on the scenario.

That part of the thread highlights part of the difficulty in finding the right default settings. The distribution will need to have some way to specify which of the profiles (e.g. single-user, administered single-user, multi-user, server, etc.) should govern, say at installation time, but will also need some way for the overall profile to change, while also allowing individual users to tweak the settings based on their needs. It is a more complex problem than it might seem at first.

Suggestions in the thread range from Carlos E. R.'s installation-time dialogs to determine the right profile to Su's idea of PolKit packages for different profiles and use cases to Hans Witvliet's more granular approach with multiple types of administrative roles that could be assigned to a user. Any or all of those could make up some part of a solution, but in a response to Witvliet, Jaeger focused on the question of defaults:

You could add all those roles but I fear it makes administration more difficult. How can we setup in an easy way the most use cases? We still might need for the last 10% esoteric options a config file to change the defaults but what is the normal way?

Finding workable defaults that will cover the majority of cases is clearly needed. Finding a set that will avoid rants like Torvalds's, while still giving a reasonable level of security to openSUSE users, is paramount. But there also needs to be a way for those with different needs to adjust the policies appropriately. Pulling all of that together in a way that is easy to understand, use, and tweak, will be an even harder problem. But it's a problem that needs solving and not just for openSUSE; there are opportunities for cross-distribution collaboration here as well.

Comments (19 posted)

Brief items

Security quotes of the week

No matter what anyone tells you, you never need to apologize or feel guilty for using "setenforce 0"
-- David Miller

As any computer user already knows, passwords are a usability disaster: you are basically told to "pick something you can’t remember, then don’t write it down", which is worse than impossible if you must also use a different password for every account. Moreover, security-wise, passwords can be shoulder-surfed, keylogged, eavesdropped, brute-forced and phished. Notable industry insiders have long predicted their demise. Over the past couple of decades, dozens of alternative schemes have been proposed. Yet here we are in 2012, still using more and more password-protected accounts every year. Why? Can’t we do any better? Don’t the suggested replacements offer any improvements?
-- Frank Stajano researches password replacement schemes

After applying a patch to the LUFA USB keyboard demo, I had my handy USB-AVR-as-Keyboard stick ready to crash Xorg:
[...]
-       .UnicodeString          = L"LUFA Keyboard Demo"
+       .UnicodeString          = L"Keyboard (%n%n%n%n)"
In fact, it was so [successful] that after I got the code right and programmed it, Xorg immediately crashed on my development machine. :)
-- Kees Cook

Just block the whole site, Mike.
Go censor the file, Kyle.
Now spy on the mail, Dale.
And you're on your way

Do a bandwidth cap, Jack.
Takedowns in mass, Ash.
Steal the crypto key, Lee.
And watch the geeks flee.

-- Lauren Weinstein (with apologies to Paul Simon)

Comments (1 posted)

Security vulnerability in sudo's netmask function patched (The H)

The H reports on a vulnerability in sudo when it is configured for IP-based restrictions on users (typically only for centrally managed sudoers files). "When the developers added IPv6 support, they inadvertently made the matching routine used for IPv4 networks call the IPv6 matching routines when no IPv4 match was found. Because the IPv6 fields would be uninitialised, it was possible for the system to think it had found a match where there wasn't one. Finding a match would, in turn, mean permission would be granted for whatever command the rule was controlling, even when the system was on a different network."

Comments (none posted)

The problem with nerd politics (The Guardian)

Over at the Guardian, Cory Doctorow writes about two problems that govern the relationship between politics and technically oriented folks ("nerds" in Doctorow-speak): "nerd determinism" and "nerd fatalism". "But, while it's true that geeks can get around this sort of thing – and other bad network policies, such as network-level censorship, or vendor locks on our tablets, phones, consoles, and computers – this isn't enough to protect us, let alone the world. It doesn't matter how good your email provider is, or how secure your messages are, if 95% of the people you correspond with use a free webmail service with a lawful interception backdoor, and if none of those people can figure out how to use crypto, then nearly all your email will be within reach of spooks and control-freaks and cops on fishing expeditions."

Comments (19 posted)

A Tale of Two Pwnies (Part 1)

For those interested in complex exploits: the Chromium Blog describes how a sequence of six independent bugs was exploited to execute code within the Chromium browser. "Even though Chrome’s renderers execute inside a stricter sandbox than the GPU process, there is a special class of renderers that have IPC interfaces with elevated permissions. These renderers are not supposed to be navigable by web content, and are used for things like extensions and settings pages. However, Pinkie found another bug (117417) that allowed an unprivileged renderer to trigger a navigation to one of these privileged renderers, and used it to launch the extension manager. So, all he had to do was jump on the extension manager’s IPC channel before it had a chance to connect."

Comments (44 posted)

New vulnerabilities

android-tools: udev rules set insecure permissions

Package(s):android-tools CVE #(s):
Created:May 21, 2012 Updated:December 4, 2012
Description: From the Red Hat bugzilla:

udev rules file packaged with android-tools consists of rules like this:

SUBSYSTEM=="usb", ATTR{idVendor}=="0502", MODE="0666"

IOW for *any* device with the given vendor ID, its associated device nodes will be world-writable.

Despite it follows the upstream guidelines at http://developer.android.com/guide/developing/device.html, this is obviously insecure and contradicts the common practice of using ACL to grant access to the current console user via TAG+="uaccess".

Alerts:
Fedora FEDORA-2012-18782 android-tools 2012-12-04
Fedora FEDORA-2012-18748 android-tools 2012-12-04
Fedora FEDORA-2012-7677 android-tools 2012-05-19

Comments (none posted)

backuppc: cross-site scripting

Package(s):backuppc CVE #(s):CVE-2011-5081
Created:May 18, 2012 Updated:January 7, 2013
Description:

From the Ubuntu advisory:

It was discovered that BackupPC did not properly sanitize its input when processing RestoreFile error messages, resulting in a cross-site scripting (XSS) vulnerability. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain.

Alerts:
Mandriva MDVSA-2013:062 backuppc 2013-04-08
Fedora FEDORA-2012-20968 BackupPC 2013-01-05
Mageia MGASA-2012-0165 backuppc 2012-07-14
Mageia MGASA-2012-0139 backuppc 2012-07-09
Ubuntu USN-1444-1 backuppc 2012-05-17

Comments (none posted)

chromium: multiple vulnerabilities

Package(s):chromium CVE #(s):CVE-2011-3083 CVE-2011-3084 CVE-2011-3085 CVE-2011-3086 CVE-2011-3087 CVE-2011-3088 CVE-2011-3089 CVE-2011-3090 CVE-2011-3091 CVE-2011-3092 CVE-2011-3093 CVE-2011-3094 CVE-2011-3095 CVE-2011-3096 CVE-2011-3100 CVE-2011-3101
Created:May 21, 2012 Updated:November 7, 2012
Description: From the CVE entries:

browser/profiles/profile_impl_io_data.cc in Google Chrome before 19.0.1084.46 does not properly handle a malformed ftp URL in the SRC attribute of a VIDEO element, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted web page. (CVE-2011-3083)

Google Chrome before 19.0.1084.46 does not use a dedicated process for the loading of links found on an internal page, which might allow attackers to bypass intended sandbox restrictions via a crafted page. (CVE-2011-3084)

The Autofill feature in Google Chrome before 19.0.1084.46 does not properly restrict field values, which allows remote attackers to cause a denial of service (UI corruption) and possibly conduct spoofing attacks via vectors involving long values. (CVE-2011-3085)

Use-after-free vulnerability in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a STYLE element. (CVE-2011-3086)

Google Chrome before 19.0.1084.46 does not properly perform window navigation, which has unspecified impact and remote attack vectors. (CVE-2011-3087)

Google Chrome before 19.0.1084.46 does not properly draw hairlines, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3088)

Use-after-free vulnerability in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving tables. (CVE-2011-3089)

Race condition in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to worker processes. (CVE-2011-3090)

Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-3091)

The regex implementation in Google V8, as used in Google Chrome before 19.0.1084.46, allows remote attackers to cause a denial of service (invalid write operation) or possibly have unspecified other impact via unknown vectors. (CVE-2011-3092)

Google Chrome before 19.0.1084.46 does not properly handle glyphs, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3093)

Google Chrome before 19.0.1084.46 does not properly handle Tibetan text, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3094)

The OGG container in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an out-of-bounds write. (CVE-2011-3095)

Use-after-free vulnerability in Google Chrome before 19.0.1084.46 on Linux allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging an error in the GTK implementation of the omnibox. (CVE-2011-3096)

Google Chrome before 19.0.1084.46 does not properly draw dash paths, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3100)

Google Chrome before 19.0.1084.46 on Linux does not properly mitigate an unspecified flaw in an NVIDIA driver, which has unknown impact and attack vectors. (CVE-2011-3101)

Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Mageia MGASA-2012-0324 webkit 2012-11-06
Ubuntu USN-1617-1 webkit 2012-10-25
openSUSE openSUSE-SU-2012:0993-1 chromium 2012-08-15
Gentoo 201205-03 chromium 2012-05-21
openSUSE openSUSE-SU-2012:0656-1 chromium, v8 2012-05-29

Comments (none posted)

feedparser: denial of service

Package(s):feedparser CVE #(s):CVE-2012-2921
Created:May 23, 2012 Updated:April 10, 2013
Description: From the CVE entry:

Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.

Alerts:
Mandriva MDVSA-2013:118 python-feedparser 2013-04-10
Mageia MGASA-2012-0157 python-feedparser 2012-07-10
Ubuntu USN-1449-1 feedparser 2012-05-22
Fedora FEDORA-2012-8291 python-feedparser 2012-06-01

Comments (none posted)

ikiwiki: cross-site scripting

Package(s):ikiwiki CVE #(s):CVE-2012-0220
Created:May 17, 2012 Updated:May 29, 2012
Description:

From the Debian advisory:

Raúl Benencia discovered that ikiwiki, a wiki compiler, does not properly escape the author (and its URL) of certain metadata, such as comments. This might be used to conduct cross-site scripting attacks.

Alerts:
Fedora FEDORA-2012-8161 ikiwiki 2012-05-28
Fedora FEDORA-2012-8151 ikiwiki 2012-05-28
Fedora FEDORA-2012-7976 ikiwiki 2012-05-28
Debian DSA-2474-1 ikiwiki 2012-05-17

Comments (none posted)

libxml2: code execution

Package(s):libxml2 CVE #(s):CVE-2011-3102
Created:May 22, 2012 Updated:March 1, 2013
Description: From the Ubuntu advisory:

Juri Aedla discovered that libxml2 contained an off by one error in its XPointer functionality. If a user or application linked against libxml2 were tricked into opening a specially crafted XML file, an attacker could cause the application to crash or possibly execute arbitrary code with the privileges of the user invoking the program.

Alerts:
SUSE SUSE-SU-2013:1627-1 libxml2 2013-11-04
SUSE SUSE-SU-2013:1625-1 libxml2 2013-11-04
Oracle ELSA-2013-0581 libxml2 2013-03-01
Mandriva MDVSA-2013:056 libxml2 2013-04-08
Scientific Linux SL-ming-20130201 mingw32-libxml2 2013-02-01
Oracle ELSA-2013-0217 mingw32-libxml2 2013-02-01
CentOS CESA-2013:0217 mingw32-libxml2 2013-02-01
Red Hat RHSA-2013:0217-01 mingw32-libxml2 2013-01-31
Fedora FEDORA-2012-13824 libxml2 2012-09-27
Fedora FEDORA-2012-13820 libxml2 2012-09-26
CentOS CESA-2012:1288 libxml2 2012-09-20
Scientific Linux SL-libx-20120918 libxml2 2012-09-18
Oracle ELSA-2012-1288 libxml2 2012-09-18
Oracle ELSA-2012-1288 libxml2 2012-09-18
CentOS CESA-2012:1288 libxml2 2012-09-18
Red Hat RHSA-2012:1288-01 libxml2 2012-09-18
Gentoo 201207-02 libxml2 2012-07-09
Mandriva MDVSA-2012:098 libxml2 2012-06-21
openSUSE openSUSE-SU-2012:0731-1 libxml2 2012-06-13
Debian DSA-2479-1 libxml2 2012-05-23
Ubuntu USN-1447-1 libxml2 2012-05-21
openSUSE openSUSE-SU-2012:0656-1 chromium, v8 2012-05-29

Comments (none posted)

openoffice.org: code execution

Package(s):openoffice.org CVE #(s):CVE-2012-1149
Created:May 17, 2012 Updated:June 14, 2012
Description:

From the Debian advisory:

Tielei Wang discovered that OpenOffice.org does not allocate a large enough memory region when processing a specially crafted JPEG object, leading to a heap-based buffer overflow and potentially arbitrary code execution.

Alerts:
Gentoo 201408-19 openoffice-bin 2014-08-31
Gentoo 201209-05 libreoffice 2012-09-24
Mageia MGASA-2012-0253 libreoffice 2012-09-04
Ubuntu USN-1496-1 openoffice.org 2012-07-02
Ubuntu USN-1495-1 libreoffice, libreoffice-l10n 2012-07-02
Oracle ELSA-2012-0705 openoffice.org 2012-06-05
Red Hat RHSA-2012:0705-01 openoffice.org 2012-06-05
Mandriva MDVSA-2012:091 libreoffice 2012-06-15
Mandriva MDVSA-2012:090 openoffice.org 2012-06-14
Debian DSA-2487-1 openoffice.org 2012-06-07
Scientific Linux SL-open-20120605 openoffice.org 2012-06-05
CentOS CESA-2012:0705 openoffice.org 2012-06-05
Fedora FEDORA-2012-8114 libreoffice 2012-06-13
Mandriva MDVSA-2012:091 libreoffice 2012-06-14
CentOS CESA-2012:0705 openoffice.org 2012-06-05
Fedora FEDORA-2012-8042 libreoffice 2012-05-27
Debian DSA-2473-1 openoffice.org 2012-05-17

Comments (none posted)

perl-Config-IniFiles: insecure temporary files

Package(s):perl-Config-IniFiles CVE #(s):CVE-2012-2451
Created:May 22, 2012 Updated:August 21, 2012
Description: From the Red Hat bugzilla:

perl-Config-IniFiles used a predictable temporary file name (${filename}-new) which makes it prone to a symlink attack. If a malicious user were to create a symlink pointing to another file writable by the user running an application that used perl-Config-IniFiles, they could overwrite the contents of that file.

Alerts:
Ubuntu USN-1543-1 libconfig-inifiles-perl 2012-08-20
Gentoo 201208-05 Config-IniFiles 2012-08-14
Mageia MGASA-2012-0127 perl-Config-IniFiles 2012-06-27
Fedora FEDORA-2012-7802 perl-Config-IniFiles 2012-05-22
Fedora FEDORA-2012-7777 perl-Config-IniFiles 2012-05-22

Comments (none posted)

pidgin-otr: code execution

Package(s):pidgin-otr CVE #(s):CVE-2012-2369
Created:May 18, 2012 Updated:July 10, 2012
Description:

From the Red Hat bugzilla entry:

Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format string security flaw. This flaw could potentially be exploited by a remote attacker to cause arbitrary code to be executed on the user's machine.

Alerts:
Gentoo 201207-05 pidgin-otr 2012-07-09
Mageia MGASA-2012-0140 pidgin-otr 2012-07-09
Debian DSA-2476-1 pidgin-otr 2012-05-19
openSUSE openSUSE-SU-2012:0717-1 pidgin-otr 2012-06-08
Fedora FEDORA-2012-8063 pidgin-otr 2012-05-18
SUSE SUSE-SU-2012:0703-1 pidgin-otr 2012-06-06

Comments (none posted)

rubygem-mail: arbitrary command execution

Package(s):rubygem-mail CVE #(s):CVE-2012-2139 CVE-2012-2140
Created:May 21, 2012 Updated:May 23, 2012
Description: From the Red Hat bugzilla:

Two flaws were corrected in rubygem-mail version 2.4.4:

A file system traversal in file_delivery method.

Arbitrary command execution when using exim or sendmail from the commandline.

Alerts:
Fedora FEDORA-2012-7535 rubygem-actionmailer 2012-05-19
Fedora FEDORA-2012-7692 rubygem-actionmailer 2012-05-19
Fedora FEDORA-2012-7692 rubygem-mail 2012-05-19
Fedora FEDORA-2012-7535 rubygem-mail 2012-05-19

Comments (none posted)

sympa: authorization bypass

Package(s):sympa CVE #(s):CVE-2012-2352
Created:May 21, 2012 Updated:July 12, 2012
Description: From the Debian advisory:

Several vulnerabilities have been discovered in Sympa, a mailing list manager, that allow to skip the scenario-based authorization mechanisms. This vulnerability allows to display the archives management page, and download and delete the list archives by unauthorized users.

Alerts:
Mageia MGASA-2012-0160 sympa 2012-07-11
Debian DSA-2477-1 sympa 2012-05-20

Comments (none posted)

sudo: privilege escalation

Package(s):sudo CVE #(s):CVE-2012-2337
Created:May 17, 2012 Updated:July 17, 2012
Description:

From the Ubuntu advisory:

It was discovered that sudo incorrectly handled network masks when using Host and Host_List. A local user who is listed in sudoers may be allowed to run commands on unintended hosts when IPv4 network masks are used to grant access. A local attacker could exploit this to bypass intended access restrictions. Host and Host_List are not used in the default installation of Ubuntu.

Alerts:
Mandriva MDVSA-2013:054 sudo 2013-04-05
Oracle ELSA-2012-1081 sudo 2012-07-17
Oracle ELSA-2012-1081 sudo 2012-07-17
Scientific Linux SL-sudo-20120716 sudo 2012-07-16
CentOS CESA-2012:1081 sudo 2012-07-16
CentOS CESA-2012:1081 sudo 2012-07-16
Red Hat RHSA-2012:1081-01 sudo 2012-07-16
Fedora FEDORA-2012-8021 sudo 2012-07-12
Gentoo 201207-01 sudo 2012-07-09
Debian DSA-2478-1 sudo 2012-05-23
Mandriva MDVSA-2012:079 sudo 2012-05-21
Fedora FEDORA-2012-7998 sudo 2012-05-29
openSUSE openSUSE-SU-2012:0652-1 sudo 2012-05-29
Ubuntu USN-1442-1 sudo 2012-05-16

Comments (none posted)

update-manager: multiple vulnerabilities

Package(s):update-manager CVE #(s):CVE-2012-0948 CVE-2012-0949
Created:May 18, 2012 Updated:June 4, 2012
Description:

From the Ubuntu advisory:

It was discovered that Update Manager created system state archive files with incorrect permissions when upgrading releases. A local user could possibly use this to read repository credentials. (CVE-2012-0948)

Felix Geyer discovered that the Update Manager Apport hook incorrectly uploaded certain system state archive files to Launchpad when reporting bugs. This could possibly result in repository credentials being included in public bug reports. (CVE-2012-0949)

Alerts:
Ubuntu USN-1443-1 update-manager 2012-05-17
Ubuntu USN-1443-2 update-manager 2012-06-04

Comments (none posted)

wireshark: denial of service

Package(s):wireshark CVE #(s):
Created:May 23, 2012 Updated:May 23, 2012
Description: From the Mandriva advisory:

It may be possible to make Wireshark hang for long or indefinite periods by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

Wireshark version 1.6.8 fixes these issues.

Alerts:
Mandriva MDVSA-2012:080 wireshark 2012-05-23

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds