I'm investigating things beyond SUID/SGID which are related to trust transitions and visible in the file system, mainly due to the use of magic paths. I'm aiming for a fairly general concept of "trust transition", and I include altering browser actions when clicking on a hyperlink as far as they are influenced by file type registrations.
Here's what I came up with so far. I only include things that can somehow be hooked by packages, which rules out files such as /etc/inittdb and user crontabs.
usermode:
/etc/security/console.apps
D-Bus and polkit:
/etc/dbus-1/system.d /etc/dbus-1/session.d /usr/share/dbus-1/system-services /usr/share/dbus-1/services /usr/share/polkit-1/actions
Launching daemons or other background processes:
/etc/init.d
/etc/cron.d /etc/cron.daily /etc/cron.monthly /etc/cron.weekly
/usr/lib/systemd/system plus other paths listed in systemd.unit(5).
*.desktop and *.protocol file registries:
/usr/lib*/libreoffice/share/xdg /usr/share/applications /usr/share/applications/kde4 /usr/share/gdm/autostart/LoginWindow /usr/share/gdm/greeter/applications /usr/share/gdm/greeter/autostart /usr/share/gnome/autostart /usr/share/gnome/wm-properties /usr/share/kde4/services /usr/share/kde4/services/ServiceMenus /usr/share/xsessions
(Or in general, *.desktop files with with an Exec= line.)
Networking services:
/etc/xinet.d
Browser plugins:
/usr/share/mozilla/extensions /usr/lib*/mozilla/extensions /usr/lib*/mozilla/plugins
I'm not sure if anything related to shared-mime-info should appear in this list. As far as I can tell, the MIME types by themselves are harmless.
On top of that, there are other things code can do to expose itself across trust boundaries (networking, creation of temporary files, etc.), but detecting that requires different approaches.
The overall idea here is to identify parts of Fedora which would benefit most from a closer look, without actually looking at all Fedora packages individually.
On 06/10/2013 10:10 AM, Florian Weimer wrote:
I'm investigating things beyond SUID/SGID which are related to trust transitions and visible in the file system, mainly due to the use of magic paths. I'm aiming for a fairly general concept of "trust transition", and I include altering browser actions when clicking on a hyperlink as far as they are influenced by file type registrations.
Here's what I came up with so far. I only include things that can somehow be hooked by packages, which rules out files such as /etc/inittdb and user crontabs.
I should have mentioned that I'm interested in feedback—does this make sense (as an extension of SUID/SGID auditing), and is this set of paths reasonably complete?
On Mon, Jun 10, 2013 at 10:10 AM, Florian Weimer fweimer@redhat.com wrote:
I'm investigating things beyond SUID/SGID which are related to trust transitions and visible in the file system, mainly due to the use of magic paths. I'm aiming for a fairly general concept of "trust transition", and I include altering browser actions when clicking on a hyperlink as far as they are influenced by file type registrations.
Here's what I came up with so far. I only include things that can somehow be hooked by packages, which rules out files such as /etc/inittdb and user crontabs.
usermode:
/etc/security/console.apps
D-Bus and polkit:
/etc/dbus-1/system.d /etc/dbus-1/session.d /usr/share/dbus-1/system-services /usr/share/dbus-1/services /usr/share/polkit-1/actions
Launching daemons or other background processes:
/etc/init.d
/etc/cron.d /etc/cron.daily /etc/cron.monthly /etc/cron.weekly
/usr/lib/systemd/system plus other paths listed in systemd.unit(5).
*.desktop and *.protocol file registries:
/usr/lib*/libreoffice/share/xdg /usr/share/applications /usr/share/applications/kde4 /usr/share/gdm/autostart/LoginWindow /usr/share/gdm/greeter/applications /usr/share/gdm/greeter/autostart /usr/share/gnome/autostart /usr/share/gnome/wm-properties /usr/share/kde4/services /usr/share/kde4/services/ServiceMenus /usr/share/xsessions
(Or in general, *.desktop files with with an Exec= line.)
Networking services:
/etc/xinet.d
Browser plugins:
/usr/share/mozilla/extensions /usr/lib*/mozilla/extensions
If you count extensions then /usr/share/gnome-shell/extensions might qualify as well.
On 06/12/2013 06:44 PM, drago01 wrote:
If you count extensions then /usr/share/gnome-shell/extensions might qualify as well.
Are these extensions commonly used to start daemons are interact with the network? Presumably, there are extensions for downloading weather data or stock exchange information, but this seems fairly restricted and low risk (especially if they use HTTPS, so that the data source would have to be compromised to attack installations).
On Mon, Jun 17, 2013 at 9:37 AM, Florian Weimer fweimer@redhat.com wrote:
On 06/12/2013 06:44 PM, drago01 wrote:
If you count extensions then /usr/share/gnome-shell/extensions might qualify as well.
Are these extensions commonly used to start daemons are interact with the network?
No. They are either used to modify the UI or to get data from some webservice / website and display it in some way.