Date: Fri, 14 Feb 2014 09:18:19 +0100 From: Helmut Grohne <helmut@...divi.de> To: Dimitri John Ledkov <xnox@...ian.org> Cc: 738855@...s.debian.org, oss-security@...ts.openwall.com Subject: Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ On Fri, Feb 14, 2014 at 12:28:52AM +0000, Dimitri John Ledkov wrote: > Thanks a lot for the review! Hmm. Maybe you can hold this patch off for a little longer? Pulling in oss-sec, because I am no longer sure that the remedy addresses all relevant aspects. Summary of previous discussion follows for oss-sec: Dimitri Ledkov asked for the initscripts package to exempt root-owned processes whose process name starts with an '@' from being killed in the sendsigs script during shutdown. This support would make initscripts a little more compatible with systemd, which is a good thing! The relevant systemd documentation can be found at: http://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/ However, I doubt that the proposed restriction (effective UID of process equals 0) is sufficient. For example in a SELinux context being root may mean significantly less. Russel Coker runs a machine where you can log into as root remotely, see http://www.coker.com.au/selinux/play.html. In this context allowing user processes to not be killed merely by changing their name could cause data loss during shutdown by blocking umount. I do not understand the consequences of the above technique in other security extension contexts, so I am asking here for help. The alternative mechanism currently used by initscripts is to allow daemons to write their PID to /run/sendsigs.omit.d/$daemon. Being a file-based approach, it can be easily controlled in the SELinux context using restorecon. Another aspect of interest could be processes running as root with their capability bounding set cleared or reduced. So dear oss-sec readers, do you think that allowing processes whose effective UID is 0 to not being killed during shutdown is a good idea? If the answer is no, then please assign a CVE identifier for systemd (version 38+, src/core/killall.c). Helmut
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ