Tightening security: not for the impatient
Consider the classic symbolic link vulnerability, wherein an attacker fools a privileged program into writing to a file behind an attacker-controlled symbolic link. Such vulnerabilities can be exploited to overwrite files that the attacker would not otherwise have access to. One does not have to dig far into the LWN vulnerability list to see that the identification and patching of symbolic link vulnerabilities is an ongoing process. One might think that, if somebody could come up with a way to eliminate such vulnerabilities altogether, it would be adopted in a hurry.
As it happens, Kees Cook has a way to deal with this class of vulnerabilities. It is based on the observations that symbolic link vulnerabilities almost always involve links placed in /tmp, and that /tmp has the "sticky" bit set in any contemporary distribution. Given that:
In short, this change would make it so that nobody could create symbolic links in /tmp and expect a privileged program to follow them. Lest one think that Kees is taking credit for this concept, he posted a bit of history for this idea, starting with a 1996 Bugtraq message from Zygo Blaxell and a kernel patch by Andrew Tridgell from the same year. This idea, in other words, has been floating around for at least 16 years, but an implementation has never found its way into the mainline kernel. Memory management changes are amazingly fast in comparison.
The reason for the resistance, of course, is that this is a change in filesystem semantics. There are concerns that it would break POSIX compliance, though Kees claims that POSIX is silent on this particular behavior. Also of concern is the possibility of breaking existing applications. Kees responds that any broken applications would be easily noticed (while those suffering from symbolic link vulnerabilities are not), and that no applications relying on existing behavior have ever been found. There have also been disagreements over how the patch should be implemented, but those have seemingly mostly been resolved.
So Kees thinks that his current patch set (a variant of one we have seen before) should be considered for merging, finally. The patches implement the symbolic link restrictions, but also add a new rule for hard links: a hard link to a file can only be created if the user owns the file or has write access to it. Once again, this change eliminates a class of attacks, but at a small cost: older versions of the "at" daemon break unless a small patch is applied. No other problems have been found, Kees says, after 1.5 years of experience with this patch in the Ubuntu kernel.
Whether that is enough evidence to get the changes merged this time around remains to be seen. It has only been 16 years, after all, and one would not want to be too hasty about such a thing.
Meanwhile, Kees has put together a separate security-oriented patch that has run into some concerns of its own. On Linux systems, there is a sysctl knob (suid_dumpable) that controls whether a crashing setuid process generates a core dump or not. Setting it to a non-zero value allows core dumps to happen; setting it to two applies certain restrictions that are intended to make it safe. But, Kees says, that's not the case; it allows a user to create a file called core in almost any directory, containing arbitrary text (environment strings, for example). This capability is not necessarily as harmless as one might think; as the 2006 cron vulnerability shows, some programs will happily pick out the strings they understand in a file full of junk, happily ignoring the rest. Thus, he claims, allowing users to create files in arbitrary locations is asking for trouble.
His response has been through a number of iterations:
- Version 1 disallowed storing
core dumps from privileged executables into a file. If the
core_pattern knob is set to a pipe, instead, core dumps
happen as before. This was seen as an incompatible ABI change,
though, and one that would cause surprising results.
- Version 2 added a new setting (3) that
would only allow setuid core dumps to a pipe. The previous "safe"
setting (2) was deprecated; attempting to set it would fail with an
EINVAL error. This version ran into trouble as a result of how it
interacted with the sysctl mechanism.
- Version 3 fixed the sysctl
difficulties but was opposed by Andrew Morton, who feared that the
deprecation of the previous mode would break current systems in
surprising ways. He suggested keeping suid_dumpable=2 as a
working mode with a warning.
- Version 4 went back to something
closer to version 1, but with some loud warnings emitted. But
then Eric Biederman asked whether disallowing relative paths would be
a sufficient fix.
- Thus, version 5 (the current version, as of this writing), just disallows the writing of setuid core dumps to relative paths. Should core_pattern be set to a relative path ("core", for example), a warning will be logged instead.
Thus far, there has not been much in the way of complaints about the fifth
iteration of the patch. So, possibly, it will not be necessary to wait for
years until this particular bit of security tightening gets into the
mainline kernel. Of course, unlike the system's link behavior, the core
dump behavior can be changed now by concerned system administrators—no need
to wait at all.
| Index entries for this article | |
|---|---|
| Kernel | Security |
| Kernel | Symbolic links |
| Security | Linux kernel |
Posted Jun 28, 2012 14:30 UTC (Thu)
by ortalo (guest, #4654)
[Link]
Should you pointing these very long delays of elementary improvements lead us to think that reconsidering the priority of security with respect to other issues in the overall development would be desirable?
If that's the case, you have my full support - even though it also seems to me that nowadays the security of user-level programs is becoming the urgent issue.
Posted Jun 28, 2012 15:31 UTC (Thu)
by david.a.wheeler (subscriber, #72896)
[Link] (13 responses)
Congrats to Kees Cook, who patiently managed to get this in.
But the slow pace of getting security-tightening mechanisms into the kernel is embarrassing.
It's absurd to wait until "all applications as libraries are perfect" as a security strategy. We need a "plan B". A kernel cannot prevent all errors from becoming security vulnerabilities, but where the kernel can reasonably prevent them or reduce their effects, it should do so.
We should be making security-tightening measures a high priority, not something that's done as a last resort. We should be searching for those mechanisms, not trying to prevent their inclusion.
Posted Jun 29, 2012 14:50 UTC (Fri)
by spender (guest, #23067)
[Link] (12 responses)
For those without horse blinders:
Kick your shoes off, prop your feet up, and have a margarita or two. Reward yourself for a job well done!
-Brad
Posted Jun 29, 2012 19:14 UTC (Fri)
by utoddl (guest, #1232)
[Link] (8 responses)
Posted Jun 30, 2012 1:31 UTC (Sat)
by spender (guest, #23067)
[Link] (7 responses)
Regardless, it seems to be working out a lot better for us than whatever kernel.org has been running ;)
It's clear you have no familiarity with grsecurity: having your head in the sand for a decade speaks volumes about your security knowledge.
Not really sure why people like yourself feel the need to reply publicly just to expose your own ignorance to the world.
-Brad
Posted Jul 1, 2012 11:52 UTC (Sun)
by roblucid (guest, #48964)
[Link] (6 responses)
The last sentence was not necessary, a personal comment detracting from the technical point point.
Posted Jul 1, 2012 12:40 UTC (Sun)
by spender (guest, #23067)
[Link] (1 responses)
-Brad
Posted Jul 1, 2012 14:35 UTC (Sun)
by man_ls (guest, #15091)
[Link]
Anyway I think you (Brad Spender) can do better than insult someone in public. This kind of derision tells more about you than about the original poster.
Posted Jul 11, 2012 21:21 UTC (Wed)
by BenHutchings (subscriber, #37955)
[Link] (3 responses)
Posted Jul 12, 2012 12:26 UTC (Thu)
by spender (guest, #23067)
[Link] (2 responses)
Anyone is free to do what they want, of course. I just don't recommend the use of such kernels, as over the years I've noticed several things:
1) Our development is very active, yet any 3rd-party packaging has always lagged (often quite badly). In fact just yesterday I had someone on the forums waste my time trying to get help compiling his "grsecurity" kernel that turned out to be a 2 year old Debian source of it.
I don't think any of the above is unreasonable. BTW, instead of making snide remarks, might your time be better served backporting some more missing security fixes to 3.2? ;)
-Brad
Posted Jul 13, 2012 1:36 UTC (Fri)
by BenHutchings (subscriber, #37955)
[Link] (1 responses)
Not an official Debian package, of course. My remark was intended more as a joke that it's very easy to satisfy people who want me (or rather us) not to work on something. Less funny when it has to be explained, I suppose. As for backporting security fixes, I try, but surely you consider me incompetent to do so?
Posted Jul 13, 2012 2:45 UTC (Fri)
by spender (guest, #23067)
[Link]
-Brad
Posted Aug 21, 2012 7:46 UTC (Tue)
by reddit (guest, #86331)
[Link] (2 responses)
Which means doing them properly in such a way that they don't impact performance, functionality or compatibility.
Posted Aug 21, 2012 10:55 UTC (Tue)
by dark (guest, #8483)
[Link] (1 responses)
Posted Aug 21, 2012 19:34 UTC (Tue)
by dlang (guest, #313)
[Link]
http://www.ranum.com/security/computer_security/papers/a1...
Posted Jul 3, 2012 22:01 UTC (Tue)
by ScottMinster (subscriber, #67541)
[Link] (9 responses)
This doesn't sound too good. Where I work, we have applications that regularly create hard links to files just for reading. The reason we do this is in case the file is replaced by a new version while it is being read. This shouldn't be a problem on most file systems, but NFS has given us trouble in the past, and we're often using NFS filesystems. The code follows the pattern of link(), open(), and unlink(). The NFS server will keep the unlink'ed file, and more importantly the NFS key (or whatever its called) around so the original file's contents can be read, even if the file is replaced with a new version (through writing to a temporary file and renaming). While the code is robust enough to fallback on opening the original file instead of a temporary link if it cannot make the link (often happens if the directory itself is not writable), it would be annoying to lose this feature. We've had weird race conditions in the past on NFS without this logic. Perhaps link() should be allowed to work if the user has read or write access to the file? Making a hard link to a file that cannot be read by the current user does seem to have little purpose.
Posted Jul 11, 2012 21:30 UTC (Wed)
by BenHutchings (subscriber, #37955)
[Link] (8 responses)
If a setuid executable turns out to be exploitable, the sysadmin will (hopefully) upgrade it to a fixed version quickly. But in some filesystem configurations a malicious user could use hard links to make 'backups' of setuid executables in the expectation that one of them would later turn out to be exploitable. The hard link restrictions prevent this.
Posted Jul 11, 2012 22:44 UTC (Wed)
by nybble41 (subscriber, #55106)
[Link] (7 responses)
Some other reasonable workarounds for this issue would be to clear the setuid bit before replacing a setuid executable, to restrict setuid executables to a dedicated filesystem with no non-superuser write access, or to prevent creating links to files with setuid enabled.
Or we could drop setuid entirely and go with something more like PolicyKit, which isn't affected by hard links, thus making the root -> user transition a one-way street.
Posted Jul 12, 2012 11:06 UTC (Thu)
by philomath (guest, #84172)
[Link] (6 responses)
Posted Jul 17, 2012 9:29 UTC (Tue)
by nlucas (guest, #33793)
[Link] (5 responses)
But I agree with you that it's a reasonable breakage.
Posted Jul 17, 2012 15:18 UTC (Tue)
by nybble41 (subscriber, #55106)
[Link] (4 responses)
Posted Jul 20, 2012 23:41 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link] (3 responses)
Posted Jul 21, 2012 11:30 UTC (Sat)
by anselm (subscriber, #2796)
[Link] (2 responses)
Hard-linked files do share the same permissions – permissions are stored on the file's inode and hard links are just extra directory entries that point to the same inode.
Linux will not let you create a hard link to an executable file that is marked suid but doesn't belong to you. Making hard links to a file that you own yourself is fine regardless of whether that file is suid or not, and does not impinge on the suid status of the file.
Posted Jul 21, 2012 16:55 UTC (Sat)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
Posted Jul 23, 2012 13:15 UTC (Mon)
by nlucas (guest, #33793)
[Link]
It's easy enough to build a busybox binary implementing only the suid utils (as is to not include the suid utils on the regular binary).
Posted Jul 5, 2012 2:18 UTC (Thu)
by kevinm (guest, #69913)
[Link] (3 responses)
The hardlink behaviour change would though, unless it too is limited to directories with the sticky bit set - is that the case?
Posted Jul 6, 2012 19:49 UTC (Fri)
by mfedyk (guest, #55303)
[Link] (1 responses)
No, this hard link change could not be related to directory sticky bit because multiple directories could point to the same inode (hard links).
That said, it would be acceptable IMO if it was activated with a mount option.
Posted Jul 9, 2012 3:55 UTC (Mon)
by kevinm (guest, #69913)
[Link]
It even makes sense, because in a sticky directory you can create hardlinks that you can't then remove, but the same isn't true of nonsticky directories.
It's also unambiguous, and the destination directory of the link already has to be looked up to create the link.
Posted Jul 11, 2012 21:31 UTC (Wed)
by BenHutchings (subscriber, #37955)
[Link]
Tightening security: not for the impatient
Tightening security: Time to prioritize it!!
Tightening security: Time to prioritize it!!
http://www.grsecurity.net/
Okay, I have no familiarity with grsecurity, but that their entire site seems to be php based made me wince a little.
Tightening security: Time to prioritize it!!
Tightening security: Time to prioritize it!!
Tightening security: Time to prioritize it!!
Tightening security: Time to prioritize it!!
Granted, the one-liner was a bit misleading; the same comment could have been made for many other things and be equally meaningless. Just for fun:
Tightening security: Time to prioritize it!!
I have no familiarity with github, but that their entire site seems to be Rails-based made me wince a little.
(The last one made me wince too, but hey.)
I have no familiarity with Red Hat, but that their entire distro seems to be Linux-based made me wince a little.
I have no familiarity with eBay, but that their entire site seems to be IIS-based made me wince a little.
Tightening security: Time to prioritize it!!
Tightening security: Time to prioritize it!!
http://lists.debian.org/debian-kernel/2012/01/msg01165.html
2) Security isn't obtained by lifting individual features, and you can't just toss some code into a codebase and claim it works as intended just because it applies cleanly. I'll be giving a talk in October at H2HC where in part I'll talk about some security features that were ripped from grsecurity and submitted upstream, then neglected to the point where they no longer do what they claim.
3) When it comes to security features, I argue the same as in Plato's "Ion", that a security researcher with kernel development experience would know best how it should be merged to preserve its integrity. Not a kernel developer lacking security knowledge, and definitely not someone just testing to see if two codebases compile when merged.
Tightening security: Time to prioritize it!!
In fact just yesterday I had someone on the forums waste my time trying to get help compiling his "grsecurity" kernel that turned out to be a 2 year old Debian source of it.
BTW, instead of making snide remarks, might your time be better served backporting some more missing security fixes to 3.2? ;)
Tightening security: Time to prioritize it!!
Tightening security: Time to prioritize it!!
Well, that definition of 'properly' puts security in fourth place. It makes it an afterthought. Something that's nice to have as long as it doesn't impact the important stuff. I don't think it's likely that people who put security in first place are going to do their work that way.
Tightening security: Time to prioritize it!!
Tightening security: Time to prioritize it!!
Tightening security: not for the impatient
a hard link to a file can only be created if the user owns the file or has write access to it
Tightening security: not for the impatient
Perhaps link() should be allowed to work if the user has read or write access to the file? Making a hard link to a file that cannot be read by the current user does seem to have little purpose.
Tightening security: not for the impatient
Tightening security: not for the impatient
Tightening security: not for the impatient
Tightening security: not for the impatient
Tightening security: not for the impatient
Tightening security: not for the impatient
Tightening security: not for the impatient
Tightening security: not for the impatient
Tightening security: not for the impatient
Tightening security: not for the impatient
Tightening security: not for the impatient
Tightening security: not for the impatient