The trouble with dropping groups
Josh Triplett would like to make it easy for unprivileged users to run programs in a sandboxed mode. As part of that work, he put together a patch allowing an unprivileged process to drop its membership in one or more groups. The idea is that a user could fire off a sandboxed process with minimal credentials, including a reduced set of group memberships, without having to resort to privileged helper commands. That should reduce the level of privilege in the system overall and, hopefully, make things more secure.
But it seems that no Unix-like system anywhere has made it possible for unprivileged processes to drop group membership. The reason may be surprising, but it's there nonetheless: some systems use group membership as a way of reducing privilege; such schemes would no longer work if users could discard groups at will.
Casey Schaufler jumped in early with the assertion that Tizen is one of the systems using groups in this way. The specific mechanism he is worried about is access control lists (ACLs). An ACL can make either positive or negative access decisions, so one can write an ACL to deny access to a resource if the accessing process is a member of a given group. It makes sense in a way; user applications could be run with membership in a special "untrusted" group that would be denied access to most system resources. Casey was pretty clear in his opinion that this change should not be merged:
Ted Ts'o pointed out that there is no need to have ACLs to use groups as a negative access indicator. Imagine you had a directory called games that you wanted to make available to all users except those in the games-abusers group. All that is needed is a command sequence like:
chown bin.games-abusers games
chmod 705 games
This will have the (possibly surprising) effect of blocking access to the directory for anybody in the games-abusers group — the "no access" group permission bits override the more open permissions for the whole world. Once again, being able to drop group membership would defeat this kind of mechanism.
Finally, the sudo utility can also make decisions based on group membership or the lack thereof. Being able to drop group membership could thus enable a user to get privileges via sudo that would normally have been denied.
As it happens, on a Linux system one does not actually need Josh's patch to be able to drop group membership. As Andy Lutomirski noted, user namespaces already make that possible. In a user namespace, normal users can have root access and can thus call setgroups(). In theory, that access does not enable any expanded privilege outside of the namespace, but, as can be seen here, a few surprises still lurk in that code. Beyond setgroups(), though, user namespaces can be used to drop groups by simply neglecting to map them to groups outside of the namespace; see this article for details on how this mapping works. Andy sees the problem as being serious enough that he reported it to the oss-security mailing list as a vulnerability with no fix available.
A few of the participants in the discussion seemed to feel that the idea of using credentials to reduce privilege was a bit backward. But it appears to be something that people do, so breaking it is not an option. For the case of user namespaces, some sort of fix will have to be applied; it may become impossible to drop group memberships from within a user namespace. The sudo problem can be addressed by only allowing groups to be dropped if the "no new privileges" flag (originally introduced for system call filtering) is set, but Eric Biederman worries about the additional complexity that would bring in.
There was talk of adding a sysctl knob to control the unprivileged dropping
of group membership. Such a flag would default to "off"; system
administrators could turn it on if they were confident that it would not
subvert the security models in use on their systems. But Casey is not confident that this option makes sense;
just because a system does not use groups to restrict privilege now doesn't
mean that somebody won't install a package using that approach tomorrow.
Also, as he pointed out: "The developers of user namespaces didn't
notice it might be a problem. You can't count on sysadmins or distro
developers to do better.
"
So, in the end, unprivileged dropping of group membership may turn out to be one of those ideas that just can't quite be shoehorned into the decades-old Unix privilege model. There is a lot of history there and no end of systems that might see surprising results coming from a change like this. If this work does go forward, expect to hear some loud complaints before it makes it into the mainline.
(Those interested in this work may also want to have a look at Josh's other patch. It allows a process to
have multiple user IDs in the same way that multiple group IDs are possible
now. The idea is that the process could use those supplemental IDs to run
sandboxed processes each with their own user ID.)
| Index entries for this article | |
|---|---|
| Kernel | Namespaces/User namespaces |
| Kernel | Negative groups |
| Security | Linux kernel |
Posted Nov 20, 2014 1:38 UTC (Thu)
by skissane (subscriber, #38675)
[Link] (6 responses)
Posted Nov 20, 2014 5:21 UTC (Thu)
by ncm (guest, #165)
[Link] (5 responses)
Posted Nov 20, 2014 6:50 UTC (Thu)
by luto (guest, #39314)
[Link] (4 responses)
Posted Nov 20, 2014 7:45 UTC (Thu)
by neilbrown (subscriber, #359)
[Link]
Then it would only be logical to also identify a range of groups that could freely be added - if the goal is to lose privileges, and adding groups achieves that, then maybe it should be allowed.
Having observed that, it starts to feel very much like the wrong solution to the problem.
Posted Nov 20, 2014 21:26 UTC (Thu)
by skissane (subscriber, #38675)
[Link] (2 responses)
Posted Nov 20, 2014 21:37 UTC (Thu)
by luto (guest, #39314)
[Link] (1 responses)
Posted Nov 21, 2014 0:48 UTC (Fri)
by skissane (subscriber, #38675)
[Link]
Posted Nov 20, 2014 6:31 UTC (Thu)
by Comet (subscriber, #11646)
[Link] (6 responses)
Thus customer Foo can not see the files of customer Bar, but the webserver process, not in the "customer" group, can access all files.
Posted Nov 20, 2014 11:13 UTC (Thu)
by smurf (subscriber, #17840)
[Link] (3 responses)
Posted Nov 20, 2014 11:37 UTC (Thu)
by knan (subscriber, #3940)
[Link] (1 responses)
Posted Nov 20, 2014 23:37 UTC (Thu)
by gerdesj (subscriber, #5446)
[Link]
I note that Novell ended up putting in an override in the filesystem so that having certain eDirectory rights to the object corresponding to the root of a volume (they are pinned as objects in the directory) would override an IRF thus always ensuring someone could get to files to fix fuck ups. Bit like root really ...
I have always been able to design filesystem layouts for user data that only needed additive rights. It only needs some thought and let's face it, real ACLs have been around for a while. The old days of just rwxrwxrwx are long gone.
Cheers
Posted Nov 20, 2014 23:54 UTC (Thu)
by Comet (subscriber, #11646)
[Link]
The permissions-stripping group membership is very reliable in every Unix to date.
That doesn't mean it's not a little icky, or that we can't move forward with better ways today, but unless the better way also reliably supports both NFS (various protocol versions) and other operating systems (not everything is pure Linux) then demanding that everyone switch to doing things in a way which doesn't expose the Linux change as a security flaw is only going to create acrimony for the high-handedness.
Posted Nov 20, 2014 15:23 UTC (Thu)
by ebiederm (subscriber, #35028)
[Link]
Posted Apr 25, 2015 16:37 UTC (Sat)
by mcortese (guest, #52099)
[Link]
It looks to me a pretty poor security scheme. It implies every user is more trustworthy than those in the customer group, even nobody, irc, anonymous FTP, etc. It is as bad as setting up iptables to default to ACCEPT and then specifying all the conditions to DROP. I think that, in most cases where a negative-access group seems advisable, equivalent solutions with positive-access group are also possible. In Ted's example, defining a "fair-gamer" group and giving it to all users is just a couple commands longer than using "game-abuser".
Posted Nov 20, 2014 10:21 UTC (Thu)
by giggls (subscriber, #48434)
[Link]
It is the lack of a system call to change the primary gid of a process in a way the suid utility sg does.
I consider it somewhat broken, that sg has to be suid at all.
It is at least very inconvenient that it is impossible to do inside a binary without an ugly wrapper script or execing itself via sg.
Sven
Posted Nov 20, 2014 11:17 UTC (Thu)
by smurf (subscriber, #17840)
[Link]
Posted Nov 20, 2014 19:35 UTC (Thu)
by micka (subscriber, #38720)
[Link]
Given an hypothetical userspace system that uses the ability to drop groups from within a user namespace (say, to drop priviliges), wouldn't that mean breaking userspace?
Posted Nov 20, 2014 19:56 UTC (Thu)
by rgb (subscriber, #57129)
[Link]
Posted Nov 20, 2014 21:37 UTC (Thu)
by cdmiller (guest, #2813)
[Link]
limits.conf:
Posted Nov 20, 2014 22:05 UTC (Thu)
by jspaleta (subscriber, #50639)
[Link] (2 responses)
-jef
Posted Nov 20, 2014 23:37 UTC (Thu)
by spender (guest, #23067)
[Link] (1 responses)
Just a small sampling of the vulns:
If upstream had any security sense, they wouldn't have removed the privilege checks for creating user namespaces despite the code clearly not being ready for such a change. Grsecurity put the privilege checks back ever since they were removed and avoided this entire mess. I don't see how the creation of nearly arbitrarily-deep user namespaces by unprivileged users is of such importance in the present time to be putting systems at risk for what Ubuntu and others promote as a security feature.
-Brad
Posted Nov 20, 2014 23:54 UTC (Thu)
by jspaleta (subscriber, #50639)
[Link]
But yes I'm not up to speed on state of the art on containers as much as I would like to be, can't seem to scope playing with it as relevant to my current paying gig... unless you can point me to containers that work with qnx.
-jef
Posted Nov 24, 2014 15:29 UTC (Mon)
by ortalo (guest, #4654)
[Link] (5 responses)
Posted Nov 25, 2014 12:45 UTC (Tue)
by Jandar (subscriber, #85683)
[Link] (4 responses)
Posted Dec 6, 2014 0:46 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (3 responses)
The system I am used to is simple.
If user acl then grant user rights else if group acl(s) then grant sum of group rights else grant default rights.
Okay, I then can't restrict a group of users, but it makes it dead easy for me to control what rights someone has over my project - if I give a user an explicit set of rights then their (possibly unknown to me) group rights are irrelevant.
The problem with adding user and group rights is it prevents an administrator delegating to a project manager the ability to manage his projects. Okay, the best way is proper group management but if the project manager doesn't know (and he may well not have access to) the list of groups his staff belong to, then my version gives him the ability to explicitly control access at the user level.
Cheers,
Posted Dec 6, 2014 20:05 UTC (Sat)
by bfields (subscriber, #19510)
[Link] (2 responses)
That's more or less what the "posix" acls supported by most linux filesystems do. (See the "ACCESS CHECK ALGORITHM" section in the acl(5) man page for details.) They don't have the explicit deny aces that windows acls do.
Posted Dec 6, 2014 20:57 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link]
> The ACL entries are looked at in the following order: owner, named users, (owning or named) groups, others. Only a single entry determines access. Step two checks if the matching entry contains sufficient permissions.
This can be used (and often is!) for effectively negative ACLs.
Posted Dec 6, 2014 22:44 UTC (Sat)
by rleigh (guest, #14622)
[Link]
At least when using ZFS/NFS4 with FreeBSD, it appears to have fully native support for NFS4 ACLs, while Linux doesn't appear to have support there at the moment (when testing using an NFS4 ZFS export). Are there any plans for support for NFS4 ACLs with Linux on native and remote filesystems?
The trouble with dropping groups
The trouble with dropping groups
The trouble with dropping groups
The trouble with dropping groups
The trouble with dropping groups
The trouble with dropping groups
The trouble with dropping groups
The trouble with dropping groups
The trouble with dropping groups
The trouble with dropping groups
The trouble with dropping groups
Jon
The trouble with dropping groups
The trouble with dropping groups
negative group permissions. I especially like the fact that supplementary groups are not needed for it to work.
The trouble with dropping groups
A somewhat related problem
The trouble with dropping groups
The trouble with dropping groups
The trouble with dropping groups
Further negative group examples pam_access, pam_limits
-:wheel:ALL EXCEPT LOCAL .win.tue.nl
@faculty soft nproc 20
The trouble with dropping groups
The trouble with dropping groups
http://article.gmane.org/gmane.linux.network/283310
http://thread.gmane.org/gmane.linux.file-systems/89076
https://lkml.org/lkml/2013/3/14/579
http://git.kernel.org/cgit/linux/kernel/git/davem/net.git...
http://stealth.openwall.net/xSports/clown-newuser.c
http://comments.gmane.org/gmane.comp.security.oss.general...
The trouble with dropping groups
I just wanted to be clear on this to the list.
The trouble with dropping groups
(Note these rwx things are most commonly called "access rights", which means "permissions" for most of the world, not forbidden actions. I'd like to have interdictions in our security systems, but only if they are called interdictions and cannot be easily mistaken from permissions.)
The trouble with dropping groups
The trouble with dropping groups
Wol
The trouble with dropping groups
If user acl then grant user rights else if group acl(s) then grant sum of group rights else grant default rights.
The trouble with dropping groups
(c) http://users.suse.com/~agruen/acl/linux-acls/online/main....
The trouble with dropping groups