Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 2 Apr 2015 20:36:27 +0200
From: u-wsnj@...ey.se
To: musl@...ts.openwall.com
Subject: Re: Re: Busybox on musl is affected by CVE-2015-1817

On Fri, Apr 03, 2015 at 12:26:56AM +0700, Рысь wrote:
[Harald Becker wrote]
> > This would be a very simple change in the kernel, giving a big step
> > to more security ... but still such things are missing :(

[answering to Harald Becker]
Credentials handling in the kernel is a result of a very long evolution
and efforts for making the behaviour both relatively consistent and
conforming to its documented standard definition.

If you believe that such a change can be simple and easily contained in
scope, you fall for wishful thinking.
Unix is monolithic by design, it is extremely hard to improve without
throwing out its design or otherwise hitting lots of issues in very
different places where you inadvertently would break someone else's
assumptions. Linux did not throw out the design and thus had to preserve
lots of problems and limitations, for a reason.

On Fri, Apr 03, 2015 at 12:26:56AM +0700, Рысь wrote:
> Audit your filesystem and remove all
> setuid bits from all programs, move/rename them as prog.real and place
> a shell script in place which will call setuid wrapper which then will
> setreuid(uid, 0) then execve().

This way you are still exposed to setuid and also still depend on how
the prog.real is going to use the supplied credentials. You more or less
have to reimplement in your wrapper the checks expected "to be already
present" in the program, without any control over its internals.

This can certainly improve the situation if you are (which presumably
is the case) more security-oriented and thoughtful than the upstream
developer, but you are in an uphill battle.

For me this does not look like a solution, rather like a patchwork
which may or may not be effective.

Rune

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.