Comments on: How SE Linux Prevents Local Root Exploits http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/ Linux, politics, and other interesting things Thu, 09 Feb 2012 01:09:24 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: etbe http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/comment-page-1/#comment-7237 etbe Wed, 10 Oct 2007 22:35:02 +0000 http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/#comment-7237 Olaf: You are correct that capabilities can be dropped, but this only works if capabilities are dropped correctly (there have been programs with bugs in this regard) and if the exploit can not happen before the capabilities are dropped (which has happened too). Jeff: That's great, so once 2.6.24 is out the use of such features can be considered in distributions. Maybe in 3 years time we will have distributions using it. Also we will have some push-back from users about this. For example when programs that currently run as root are run as non-root then their data files need to be owned by non-root. If a program that is currently setuid is made setcap then when root runs it the result will be different from when non-root runs it - not an insurmountable problem but as we have seen with users turning off SE Linux it's something that will cause acceptance problems. Olaf: You are correct that capabilities can be dropped, but this only works if capabilities are dropped correctly (there have been programs with bugs in this regard) and if the exploit can not happen before the capabilities are dropped (which has happened too).

Jeff: That’s great, so once 2.6.24 is out the use of such features can be considered in distributions. Maybe in 3 years time we will have distributions using it.

Also we will have some push-back from users about this. For example when programs that currently run as root are run as non-root then their data files need to be owned by non-root. If a program that is currently setuid is made setcap then when root runs it the result will be different from when non-root runs it – not an insurmountable problem but as we have seen with users turning off SE Linux it’s something that will cause acceptance problems.

]]> By: Jeff Schroeder http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/comment-page-1/#comment-7206 Jeff Schroeder Wed, 10 Oct 2007 17:26:14 +0000 http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/#comment-7206 "As for setuid executables, there is work on creating set-cap executables but it isn’t going to go mainline in Linux for a while." @etbe, you are actually wrong. Take a look at Andrew's merge plans for 2.6.24: http://lkml.org/lkml/2007/10/1/314 CTRL F search for 'implement-file-posix-capabilities.patch'. It allows you to set CAP_NET_RAW on /bin/ping and strip the suid root bit off of it. Serge E. Hallyn, the author, was very responsive to comments and critiques. After sitting in -mm, this is finally being merged into mainline. You can get the userspace tools from either of these sites: http://www.olafdietsche.de/linux/capability/ # The original author of the userspace tools http://www.sr71.net/~hallyn/fscaps/ # The guy that wrote the kernel patch accepted into mainline's site “As for setuid executables, there is work on creating set-cap executables but it isn’t going to go mainline in Linux for a while.”

@etbe, you are actually wrong. Take a look at Andrew’s merge plans for 2.6.24:
http://lkml.org/lkml/2007/10/1/314

CTRL F search for ‘implement-file-posix-capabilities.patch’. It allows you to set CAP_NET_RAW on /bin/ping and strip the suid root bit off of it. Serge E. Hallyn, the author, was very responsive to comments and critiques. After sitting in -mm, this is finally being merged into mainline.

You can get the userspace tools from either of these sites:
http://www.olafdietsche.de/linux/capability/ # The original author of the userspace tools
http://www.sr71.net/~hallyn/fscaps/ # The guy that wrote the kernel patch accepted into mainline’s site

]]> By: Olaf van der Spek http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/comment-page-1/#comment-7196 Olaf van der Spek Wed, 10 Oct 2007 14:27:10 +0000 http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/#comment-7196 Can't the DHCP server (and other setuid executables) drop capabilities or root after it has used them? Receiving UDP broadcast packets doesn't seem such an issue, I think it's actually sending them that requires CAP_NET_RAW. Can’t the DHCP server (and other setuid executables) drop capabilities or root after it has used them?
Receiving UDP broadcast packets doesn’t seem such an issue, I think it’s actually sending them that requires CAP_NET_RAW.

]]> By: etbe http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/comment-page-1/#comment-7193 etbe Wed, 10 Oct 2007 13:44:12 +0000 http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/#comment-7193 Olaf: A DHCP server needs to receive UDP packets from machines that have no IP address and are not addressed to the server (the client generally doesn't know the address of the server). Therefore it needs CAP_NET_RAW (which means root). As for setuid executables, there is work on creating set-cap executables but it isn't going to go mainline in Linux for a while. Olaf: A DHCP server needs to receive UDP packets from machines that have no IP address and are not addressed to the server (the client generally doesn’t know the address of the server). Therefore it needs CAP_NET_RAW (which means root).

As for setuid executables, there is work on creating set-cap executables but it isn’t going to go mainline in Linux for a while.

]]> By: Olaf van der Spek http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/comment-page-1/#comment-7175 Olaf van der Spek Wed, 10 Oct 2007 10:28:25 +0000 http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/#comment-7175 > On a machine running without SE Linux a compromise of a DHCP server is game-over as the server runs as root. There's probably a good reason for running as root, but I've no idea what it would be. > setuid executables Why isn't the setuid bit replaced by a set of privileges that are actually required instead of granting all those privileges at once via a single bit? > On a machine running without SE Linux a compromise of a DHCP server is game-over as the server runs as root.

There’s probably a good reason for running as root, but I’ve no idea what it would be.

> setuid executables

Why isn’t the setuid bit replaced by a set of privileges that are actually required instead of granting all those privileges at once via a single bit?

]]> By: Jeff Schroeder http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/comment-page-1/#comment-7087 Jeff Schroeder Tue, 09 Oct 2007 23:51:13 +0000 http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/#comment-7087 Dan Walsh did a good blog post about how SELinux constrained 2 samba vulnerabilities. In the comments, it also links to a Mambo exploit blocked by SELinux. http://danwalsh.livejournal.com/10131.html One of those samba exploits actually could result in remote command execution if SELinux was not enabled. Dan Walsh did a good blog post about how SELinux constrained 2 samba vulnerabilities. In the comments, it also links to a Mambo exploit blocked by SELinux.
http://danwalsh.livejournal.com/10131.html

One of those samba exploits actually could result in remote command execution if SELinux was not enabled.

]]>