6:24 a.m.
----- Forwarded Message -----
From: "Jakub Filak" <jfilak(a)redhat.com>
To: security(a)lists.fedoraproject.org
Sent: Thursday, February 11, 2016 9:51:04 AM
Subject: Use suid_dumpable=2 for development releases
Hello,
As a maintainer of ABRT, I have been asked several times why ABRT does not catch
crashes of many processes and one kind of reasons dominate among other reasons
- processes that executes set-user-ID programs (man 5 core). These processes
are not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0 (man 5
proc) which is the default value. With the default suid_dumpable
value, crashes caused by SIGABRT are not detectable because kernel doesn't even
write a log message about that.
The default value 0 is there for good security reason, but I would like to
propose changing the default value to 2 for development Fedora releases (Alpha,
Beta, Rawhide). In this case, kernel would send core dump to ABRT (or
systemd-coredump) and the ABRT record would be accessible only to root.
I believe that maintainers of packages like chrony will be really delighted
with this change, while will not weaken security of Fedora for regular users.
Regards,
Jakub
--
security mailing list
security(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/security@lists.fedoraproject.org
6:40 a.m.
On 12/02/16 12:24, Jakub Filak wrote:
As a maintainer of ABRT, I have been asked several times why ABRT
does not catch
crashes of many processes and one kind of reasons dominate among other reasons
- processes that executes set-user-ID programs (man 5 core). These processes
are not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0 (man 5
proc) which is the default value. With the default suid_dumpable
value, crashes caused by SIGABRT are not detectable because kernel doesn't even
write a log message about that.
The default value 0 is there for good security reason, but I would like to
propose changing the default value to 2 for development Fedora releases (Alpha,
Beta, Rawhide). In this case, kernel would send core dump to ABRT (or
systemd-coredump) and the ABRT record would be accessible only to root.
I believe that maintainers of packages like chrony will be really delighted
with this change, while will not weaken security of Fedora for regular users.
What part of chrony is setuid? I don't see an suid bit on any of it's
executables... Nor any file capabilities which is the other thing the
manual page says triggers this.
Tom
--
Tom Hughes (tom(a)compton.nu)
http://compton.nu/
7:03 a.m.
On Fri, Feb 12, 2016 at 12:40:37PM +0000, Tom Hughes wrote:
On 12/02/16 12:24, Jakub Filak wrote:
>I believe that maintainers of packages like chrony will be really delighted
>with this change, while will not weaken security of Fedora for regular users.
What part of chrony is setuid? I don't see an suid bit on any of it's
executables... Nor any file capabilities which is the other thing the manual
page says triggers this.
The chrony files don't have any set*id bits set, but the chronyd
process, like many other daemons, calls setuid()/setgid() in order to
drop root privileges. The proc(5) man page lists that as a reason
for not producing a coredump.
I was wondering what security implications would setting suid_dumpable
to 2 by default had and why it needs to be restricted to development.
--
Miroslav Lichvar
12:32 p.m.
On Fri, Feb 12, 2016 at 07:24:06AM -0500, Jakub Filak wrote:
The default value 0 is there for good security reason, but I would
like to propose changing the default value to 2 for development
Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would
send core dump to ABRT (or systemd-coredump) and the ABRT record
would be accessible only to root.
It seems like this would be unsafe if core_pattern is not a pipe or
fully qualified path.
Ref: https://lwn.net/Articles/503682/
That's fine when ABRT is running, but would be unsafe if someone
disabled ABRT by directly setting core_pattern (eg. to "core.%p"), but
forgot about suid_dumpable.
The kernel does emit KERN_WARNING about this situation (upstream
commit 54b501992dd2), but it's not clear if a sysadmin would notice.
(I'm actually quite happy for the default to be changed as you
suggest, but can see it's a bit of a minefield.)
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
12:57 p.m.
On Fri, Feb 12, 2016 at 10:32 AM, Richard W.M. Jones <rjones(a)redhat.com> wrote:
On Fri, Feb 12, 2016 at 07:24:06AM -0500, Jakub Filak wrote:
> The default value 0 is there for good security reason, but I would
> like to propose changing the default value to 2 for development
> Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would
> send core dump to ABRT (or systemd-coredump) and the ABRT record
> would be accessible only to root.
It seems like this would be unsafe if core_pattern is not a pipe or
fully qualified path.
Ref: https://lwn.net/Articles/503682/
That's fine when ABRT is running, but would be unsafe if someone
disabled ABRT by directly setting core_pattern (eg. to "core.%p"), but
forgot about suid_dumpable.
The kernel does emit KERN_WARNING about this situation (upstream
commit 54b501992dd2), but it's not clear if a sysadmin would notice.
(I'm actually quite happy for the default to be changed as you
suggest, but can see it's a bit of a minefield.)
We could change the kernel to add suid_dumpable == 3 which is like
suid_dumpable==2 but only if the core_pattern is a pipe.
--Andy
midnight
On 02/12/2016 07:57 PM, Andrew Lutomirski wrote:
On Fri, Feb 12, 2016 at 10:32 AM, Richard W.M. Jones
<rjones(a)redhat.com> wrote:
> On Fri, Feb 12, 2016 at 07:24:06AM -0500, Jakub Filak wrote:
>> The default value 0 is there for good security reason, but I would
>> like to propose changing the default value to 2 for development
>> Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would
>> send core dump to ABRT (or systemd-coredump) and the ABRT record
>> would be accessible only to root.
> It seems like this would be unsafe if core_pattern is not a pipe or
> fully qualified path.
>
> Ref: https://lwn.net/Articles/503682/
>
> That's fine when ABRT is running, but would be unsafe if someone
> disabled ABRT by directly setting core_pattern (eg. to "core.%p"), but
> forgot about suid_dumpable.
>
> The kernel does emit KERN_WARNING about this situation (upstream
> commit 54b501992dd2), but it's not clear if a sysadmin would notice.
>
> (I'm actually quite happy for the default to be changed as you
> suggest, but can see it's a bit of a minefield.)
We could change the kernel to add suid_dumpable == 3 which is like
suid_dumpable==2 but only if the core_pattern is a pipe.
I didn't know that 3 is supported for suid_dumpable.
The value of 3 is not documented [1] and I can't find it in the source
code [2].
Regards,
Jakub
1: http://man7.org/linux/man-pages/man5/proc.5.html
2:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/incl...
6:31 a.m.
New subject: Use suid_dumpable=2 for development releases
On Mon, 15 Feb 2016 07:00:36 +0100, Jakub Filak wrote:
On 02/12/2016 07:57 PM, Andrew Lutomirski wrote:
> We could change the kernel to add suid_dumpable == 3 which is like
> suid_dumpable==2 but only if the core_pattern is a pipe.
>
I didn't know that 3 is supported for suid_dumpable.
The value of 3 is not documented [1] and I can't find it in the
source code [2].
It isn't. What he's saying is that option could be added.
2:01 a.m.
On 02/12/2016 07:57 PM, Andrew Lutomirski wrote:
On Fri, Feb 12, 2016 at 10:32 AM, Richard W.M. Jones
<rjones(a)redhat.com> wrote:
> On Fri, Feb 12, 2016 at 07:24:06AM -0500, Jakub Filak wrote:
>> The default value 0 is there for good security reason, but I would
>> like to propose changing the default value to 2 for development
>> Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would
>> send core dump to ABRT (or systemd-coredump) and the ABRT record
>> would be accessible only to root.
> It seems like this would be unsafe if core_pattern is not a pipe or
> fully qualified path.
>
> Ref: https://lwn.net/Articles/503682/
>
> That's fine when ABRT is running, but would be unsafe if someone
> disabled ABRT by directly setting core_pattern (eg. to "core.%p"), but
> forgot about suid_dumpable.
>
> The kernel does emit KERN_WARNING about this situation (upstream
> commit 54b501992dd2), but it's not clear if a sysadmin would notice.
>
> (I'm actually quite happy for the default to be changed as you
> suggest, but can see it's a bit of a minefield.)
We could change the kernel to add suid_dumpable == 3 which is like
suid_dumpable==2 but only if the core_pattern is a pipe.
Starting with systemd-229 the default core_pattern has been changed to
"|/bin/false" [1], hence, if an user uninstall ABRT or disable
abrt-ccpp.service, the core_pattern will be either "|/bin/false" or
"|/usr/lib/systemd/systemd-coredump ...". Thus the only case where
core_patter can contain a string not starting with pipe is when admin
changes it manually ("sysctl kernel.core_pattern ...", "echo ... >
/proc/sys/kernel/core_pattern", etc).
Taking into account this new fact, do we still need to change the kernel?
Regards,
Jakub
1:
https://github.com/systemd/systemd/commit/15a900327aba7dc4dc886affe1ae22d...
11:51 p.m.
The issue described in the article was fixed by requiring an absolute
path in core_pattern (If I understand it correctly).
If core_pattern is unsafe, the process is not dumped at all (man 5 proc).
The kernel commit adds a warning, because kernel was silently ignoring
crashes and no one could notice.
Regards,
Jakub
On 02/12/2016 07:32 PM, Richard W.M. Jones wrote:
On Fri, Feb 12, 2016 at 07:24:06AM -0500, Jakub Filak wrote:
> The default value 0 is there for good security reason, but I would
> like to propose changing the default value to 2 for development
> Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would
> send core dump to ABRT (or systemd-coredump) and the ABRT record
> would be accessible only to root.
It seems like this would be unsafe if core_pattern is not a pipe or
fully qualified path.
Ref: https://lwn.net/Articles/503682/
That's fine when ABRT is running, but would be unsafe if someone
disabled ABRT by directly setting core_pattern (eg. to "core.%p"), but
forgot about suid_dumpable.
The kernel does emit KERN_WARNING about this situation (upstream
commit 54b501992dd2), but it's not clear if a sysadmin would notice.
(I'm actually quite happy for the default to be changed as you
suggest, but can see it's a bit of a minefield.)
Rich.
4:22 a.m.
The issue described in the article was fixed by requiring an
absolute
path in core_pattern (If I understand it correctly).
If core_pattern is unsafe, the process is not dumped at all (man 5 proc).
The kernel commit adds a warning, because kernel was silently ignoring
crashes and no one could notice.
If this is true, shouldn't we be safe to set the default to 2?
Note also, that having suid_dumpable = 0 is sometimes blocking other security features in
Fedora, for example sssd running as non-root by default -
https://bugzilla.redhat.com/show_bug.cgi?id=1212503
Regards,
/M
>
>
> Regards,
> Jakub
>
> On 02/12/2016 07:32 PM, Richard W.M. Jones wrote:
8:22 a.m.
I'm not a security expert but I would rather start with something
less ambitious and more secure. Just for sure.
Regards,
Jakub
On 02/15/2016 11:22 AM, Miroslav Vadkerti wrote:
> The issue described in the article was fixed by requiring an
absolute
> path in core_pattern (If I understand it correctly).
>
> If core_pattern is unsafe, the process is not dumped at all (man 5 proc).
>
> The kernel commit adds a warning, because kernel was silently ignoring
> crashes and no one could notice.
If this is true, shouldn't we be safe to set the default to 2?
Note also, that having suid_dumpable = 0 is sometimes blocking other security features in
Fedora, for example sssd running as non-root by default -
https://bugzilla.redhat.com/show_bug.cgi?id=1212503
Regards,
/M
>
> Regards,
> Jakub
>
> On 02/12/2016 07:32 PM, Richard W.M. Jones wrote:
--
devel mailing list
devel(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
11:35 p.m.
It looks like that there are no opponents of this change but several
supporters
and few of them even want to have suid_dumpable=2 in all releases.
I was thinking about it and Richard W.M. Jones' email about safeness of
suid_dumpable=2 without ABRT gave me an idea to teach ABRT to set
suid_dumpable=2 in abrt-ccpp.service. The service sets kernel.core_pattern
(/proc/sys/kernel/core_pattern) to ABRT pattern, so it could also update
suid_dumpable. If an administrator uninstalls/turns off ABRT, suid_dumpable
would get back the OS default value. If he/she modifies core_pattern by
hand,
then he/she is skilled enough to spot kernel warning in the logs.
What do you think about it?
I would especially like to hear thoughts on this from security experts.
Do I need to get any permission to do so?
Regards,
Jakub
On 02/12/2016 01:24 PM, Jakub Filak wrote:
----- Forwarded Message -----
From: "Jakub Filak" <jfilak(a)redhat.com>
To: security(a)lists.fedoraproject.org
Sent: Thursday, February 11, 2016 9:51:04 AM
Subject: Use suid_dumpable=2 for development releases
Hello,
As a maintainer of ABRT, I have been asked several times why ABRT does not catch
crashes of many processes and one kind of reasons dominate among other reasons
- processes that executes set-user-ID programs (man 5 core). These processes
are not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0 (man 5
proc) which is the default value. With the default suid_dumpable
value, crashes caused by SIGABRT are not detectable because kernel doesn't even
write a log message about that.
The default value 0 is there for good security reason, but I would like to
propose changing the default value to 2 for development Fedora releases (Alpha,
Beta, Rawhide). In this case, kernel would send core dump to ABRT (or
systemd-coredump) and the ABRT record would be accessible only to root.
I believe that maintainers of packages like chrony will be really delighted
with this change, while will not weaken security of Fedora for regular users.
Regards,
Jakub
--
security mailing list
security(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/security@lists.fedoraproject.org
--
devel mailing list
devel(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
8:23 a.m.
On Feb 15, 2016 10:36 PM, "Jakub Filak" <jfilak(a)redhat.com> wrote:
It looks like that there are no opponents of this change but several
supporters
and few of them even want to have suid_dumpable=2 in all releases.
I was thinking about it and Richard W.M. Jones' email about safeness of
suid_dumpable=2 without ABRT gave me an idea to teach ABRT to set
suid_dumpable=2 in abrt-ccpp.service. The service sets kernel.core_pattern
(/proc/sys/kernel/core_pattern) to ABRT pattern, so it could also update
suid_dumpable. If an administrator uninstalls/turns off ABRT,
suid_dumpable
would get back the OS default value. If he/she modifies core_pattern
by
hand,
then he/she is skilled enough to spot kernel warning in the logs.
What do you think about it?
I would especially like to hear thoughts on this from security experts.
Do I need to get any permission to do so?
This idea makes me very nervous. I would *much* rather that the kernel be
changed.
Also, is ABRT itself safe? That is, if an unprivileged user starts, say,
passwd and forces a coredump, can that user convince ABRT to show them the
core file?
--Andy
Regards,
Jakub
On 02/12/2016 01:24 PM, Jakub Filak wrote:
>
> ----- Forwarded Message -----
> From: "Jakub Filak" <jfilak(a)redhat.com>
> To: security(a)lists.fedoraproject.org
> Sent: Thursday, February 11, 2016 9:51:04 AM
> Subject: Use suid_dumpable=2 for development releases
>
> Hello,
>
> As a maintainer of ABRT, I have been asked several times why ABRT does
not
catch
> crashes of many processes and one kind of reasons dominate among
other
reasons
> - processes that executes set-user-ID programs (man 5 core).
These
processes
> are not dumped at all if the value of /proc/sys/fs/suid_dumpable
is 0
(man 5
> proc) which is the default value. With the default
suid_dumpable
> value, crashes caused by SIGABRT are not detectable because kernel
doesn't
even
> write a log message about that.
>
> The default value 0 is there for good security reason, but I would like
to
> propose changing the default value to 2 for development Fedora
releases
(Alpha,
> Beta, Rawhide). In this case, kernel would send core dump to ABRT
(or
> systemd-coredump) and the ABRT record would be accessible only to root.
>
> I believe that maintainers of packages like chrony will be really
delighted
> with this change, while will not weaken security of Fedora for
regular
users.
>
>
> Regards,
> Jakub
> --
> security mailing list
> security(a)lists.fedoraproject.org
>
http://lists.fedoraproject.org/admin/lists/security@lists.fedoraproject.org
> --
> devel mailing list
> devel(a)lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
--
devel mailing list
devel(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
11:30 p.m.
On 02/16/2016 03:23 PM, Andrew Lutomirski wrote:
On Feb 15, 2016 10:36 PM, "Jakub Filak" <jfilak(a)redhat.com
<mailto:jfilak@redhat.com>> wrote:
>
> It looks like that there are no opponents of this change but several
supporters
> and few of them even want to have suid_dumpable=2 in all releases.
>
> I was thinking about it and Richard W.M. Jones' email about safeness of
> suid_dumpable=2 without ABRT gave me an idea to teach ABRT to set
> suid_dumpable=2 in abrt-ccpp.service. The service sets
kernel.core_pattern
> (/proc/sys/kernel/core_pattern) to ABRT pattern, so it could also update
> suid_dumpable. If an administrator uninstalls/turns off ABRT,
suid_dumpable
> would get back the OS default value. If he/she modifies core_pattern
by hand,
> then he/she is skilled enough to spot kernel warning in the logs.
>
> What do you think about it?
> I would especially like to hear thoughts on this from security experts.
>
> Do I need to get any permission to do so?
This idea makes me very nervous.
I understand your concerns and I am happy someone else expressed it this
way.
I was asked several times to make suid_dumpable=2 by default last year
and I always replied like you.
I would *much* rather that the kernel be changed.
Just for the clarification: you want to change suid_dumpable in kernel
package or introduce the value of 3 or both?
Also, is ABRT itself safe?
We believe it is.
But frankly we had several CVEs last year. However those CVEs helped us
to make ABRT much safer.
Florian Weimer went through the code base and found several issues that
we have fixed.
The CVEs are the reason why I didn't start this discussion sooner.
That is, if an unprivileged user starts, say, passwd and forces a
coredump, can that user convince ABRT to show them the core file?
That user cannot convince ABRT to show them the core file.
Only privileged users will have access to the core file.
Jakub
--Andy
>
>
> Regards,
> Jakub
>
>
> On 02/12/2016 01:24 PM, Jakub Filak wrote:
>>
>> ----- Forwarded Message -----
>> From: "Jakub Filak" <jfilak(a)redhat.com
<mailto:jfilak@redhat.com>>
>> To: security(a)lists.fedoraproject.org
<mailto:security@lists.fedoraproject.org>
>> Sent: Thursday, February 11, 2016 9:51:04 AM
>> Subject: Use suid_dumpable=2 for development releases
>>
>> Hello,
>>
>> As a maintainer of ABRT, I have been asked several times why ABRT
does not catch
>> crashes of many processes and one kind of reasons dominate among
other reasons
>> - processes that executes set-user-ID programs (man 5 core). These
processes
>> are not dumped at all if the value of /proc/sys/fs/suid_dumpable is
0 (man 5
>> proc) which is the default value. With the default suid_dumpable
>> value, crashes caused by SIGABRT are not detectable because kernel
doesn't even
>> write a log message about that.
>>
>> The default value 0 is there for good security reason, but I would
like to
>> propose changing the default value to 2 for development Fedora
releases (Alpha,
>> Beta, Rawhide). In this case, kernel would send core dump to ABRT (or
>> systemd-coredump) and the ABRT record would be accessible only to root.
>>
>> I believe that maintainers of packages like chrony will be really
delighted
>> with this change, while will not weaken security of Fedora for
regular users.
>>
>>
>> Regards,
>> Jakub
>> --
>> security mailing list
>> security(a)lists.fedoraproject.org
<mailto:security@lists.fedoraproject.org>
>>
http://lists.fedoraproject.org/admin/lists/security@lists.fedoraproject.org
>> --
>> devel mailing list
>> devel(a)lists.fedoraproject.org <mailto:devel@lists.fedoraproject.org>
>>
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
>
> --
> devel mailing list
> devel(a)lists.fedoraproject.org <mailto:devel@lists.fedoraproject.org>
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
--
devel mailing list
devel(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
2979
days inactive
2997
days old
13 comments
7 participants
participants (7)
-
Andrew Clayton -
Andrew Lutomirski -
Jakub Filak -
Miroslav Lichvar -
Miroslav Vadkerti -
Richard W.M. Jones -
Tom Hughes