Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 Dec 2011 05:30:44 +0400
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: Re: Re: [owl-cvs] Owl/packages/rpm

On Fri, Dec 02, 2011 at 05:07:17AM +0400, Solar Designer wrote:
> On Fri, Dec 02, 2011 at 01:40:04AM +0400, Dmitry V. Levin wrote:
> > On Mon, Jul 25, 2011 at 05:35:15AM +0400, Owl CVS (solar) wrote:
> > > 	rpm-4.2-owl-remove-unsafe-perms.diff 
> > > Log Message:
> > > Added a patch to remove unsafe file permissions (chmod'ing files to 0) on
> > > package removal or upgrade to prevent continued access to such files via
> > > hard-links possibly created by a user (CVE-2005-4889, CVE-2010-2059).
> > 
> > There is a risk to get into big trouble with this change, because
> > hardlinked files could be legally created by packages without any user
> > intervention.  For example, our screen package hardlinks
> > /usr/libexec/chkpwd/tcb_chkpwd and /usr/libexec/utempter/utempter to
> > /usr/libexec/screen/, and only by sheer luck (we happily have a %preun
> > script that removes these /usr/libexec/screen/* files) screen package
> > removal does not lead to zeroing permissions of
> > /usr/libexec/chkpwd/tcb_chkpwd and /usr/libexec/utempter/utempter.
> > Those who rely on rpm to remove %ghost files may some day be trapped by
> > this hardening feature.
> > I actually got trapped after porting it to Sisyphus where permissions of
> > several system config files including /etc/nsswitch.conf were zeroed after
> > removing a chrooted daemon.
> 
> Ouch.  What alternative do you recommend?  A more limited hardening
> change like in upstream RPM 4?  Or maybe something inbetween - limiting
> it to SUIDs/SGIDs and device files?  (Upstream RPM 4 limits this to
> SUIDs/SGIDs only, leaving device files unprotected.)

In Sisyphus, to mitigate the effect, I relaxed the hardening by limiting
zeroing permissions of regular files to set[ug]id executables (devices and
other non-regular files thus remain the subject of permissions zeroing):
http://git.altlinux.org/gears/r/..git?p=rpm.git;a=commitdiff;h=3946369bfbc2e47f0742a397362c23c9aeafd03f
But the example of 'screen' shows that even a set[ug]id executable can be
a (rare?) subject for legal hardlinking, which leaves us nothing but
workarounds like manual files removal in %preun scripts.  If we could
distinguish %ghost files from others on removal, that would really help us
to fix the problem.


-- 
ldv

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ