Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 Dec 2011 05:07:17 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: Re: [owl-cvs] Owl/packages/rpm

On Fri, Dec 02, 2011 at 01:40:04AM +0400, Dmitry V. Levin wrote:
> On Mon, Jul 25, 2011 at 05:35:15AM +0400, Owl CVS (solar) wrote:
> > 	rpm-4.2-owl-remove-unsafe-perms.diff 
> > Log Message:
> > Added a patch to remove unsafe file permissions (chmod'ing files to 0) on
> > package removal or upgrade to prevent continued access to such files via
> > hard-links possibly created by a user (CVE-2005-4889, CVE-2010-2059).
> 
> There is a risk to get into big trouble with this change, because
> hardlinked files could be legally created by packages without any user
> intervention.  For example, our screen package hardlinks
> /usr/libexec/chkpwd/tcb_chkpwd and /usr/libexec/utempter/utempter to
> /usr/libexec/screen/, and only by sheer luck (we happily have a %preun
> script that removes these /usr/libexec/screen/* files) screen package
> removal does not lead to zeroing permissions of
> /usr/libexec/chkpwd/tcb_chkpwd and /usr/libexec/utempter/utempter.
> Those who rely on rpm to remove %ghost files may some day be trapped by
> this hardening feature.
> I actually got trapped after porting it to Sisyphus where permissions of
> several system config files including /etc/nsswitch.conf were zeroed after
> removing a chrooted daemon.

Ouch.  What alternative do you recommend?  A more limited hardening
change like in upstream RPM 4?  Or maybe something inbetween - limiting
it to SUIDs/SGIDs and device files?  (Upstream RPM 4 limits this to
SUIDs/SGIDs only, leaving device files unprotected.)

Thanks,

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ