[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Privileged File Access from Desktop Applications
From: Steffen Nurpmeso <steffen () sdaoden ! eu>
Date: 2019-07-12 18:12:07
Message-ID: 20190712181207.I0_DA%steffen () sdaoden ! eu
[Download RAW message or body]
Perry E. Metzger wrote in <20190712121202.403b2f5f@jabberwock.cb.piermon\
t.com>:
|On Fri, 12 Jul 2019 11:53:26 -0400 "Perry E. Metzger"
|<perry@piermont.com> wrote:
|>>> What's the right way to handle this stuff? Capabilities,
|>>> probably. It's what they're designed for.
|>>
|>> They're completely not designed for this case. Setting
|>> CAP_DAC_OVERRIDE or CAP_SYS_ADMIN is very close to SUID root. See:
|>> https://grsecurity.net/false_boundaries_and_arbitrary_code_execution.php
|>
|> Those aren't capabilities. Those are this POSIX mechanism that got
|> the same name for no good reason and doesn't do anything like what
|> an actual capability system does.
|
|It occurs to me that people without a background in computer security
|might not know what a capability actually is, or how a capability
|based security system manages access control.
Some people are too lazy to switch to a different graphical
console or terminal, or are settled on using their very own
graphical editor in the very current graphical session, instead of
indirecting through sshfs or simply doing a ssh to root in some
graphical console on the current box, and edit through that.
I personally have a TLS setup and a SSH setup and a PGP (GnuPG
actually) setup, and there is a PAM setup here with passwords not
some (Yubi)key, and i also have some encfs which could make many
of you shiver (since it is not the block level GELI i think or
dmcrypt/LUKS on Linux), that makes five things to care about, and
five things people have to audit and often do not, even though
many are talking, with best intentions.
I do not have dbus running except when firefox is started (which
hangs often for scripts sourced from derstandard.at especially
when opening several tabs there, looking at images, whatever,
twice yesterday and i am not sooo active, so that is on the bus),
which i have a special account for. (Two, in fact.)
The Tso of Linux once told how he performs a git commit to the
Linux kernel, and it was about plugging in some keycard into some
cardreader in order to sign. If you pass a border or in police
control you have to show your passport. If i want to edit
a system configuration file i have to type the root password (no
XKey here still), either for sudo/super/doas/su or login. If
a younger person thinks this sucks i understand in parts, but i am
almost certain he is the one who screams for security when
something bad happens and takes away the toy.
No to webmin, no to admin://, no to sending mails from within
TheGimp, that all can be done in a better way from within emacs.
Hasta la victoria siempre. Some things just don't work out.
|This Wikipedia page:
|https://en.wikipedia.org/wiki/Capability-based_security
|isn't the best, but it does have good pointers to real explanations.
|
|For a look at how you can implement a capability system on top
|of Unix, see Capsicum, which was built for FreeBSD but never actually
|ported to Linux (which is sad and should be corrected):
|https://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-se\
|curity-capsicum-website.pdf
|
|Note that a primitive form of capabilities can be achieved in the
|current Linux kernel by passing file descriptors between processes, a
|tool relatively few people seem to know exists. Given that the
|"correct" mechanism (something like Capsicum) doesn't exist in Linux
|yet, it's a poor man's second best. Again, porting Capsicum would be
|the smart thing to do instead of all this ad hoc stuff.
It is painful programming. Now there is Casper (not Kasper) which
improves this a bit, i think.
And well it cannot be helped. Model View Controller for anything,
or at least Frontend and Machine like Mr. Pike did the first time
for Sam as far as i know, almost fourty years ago, that is what
i am going for myself. Much of it is about hardware too, i am in
video and audio and kvm groups, and this matters down to the
hardware, which is not compartmentalised on rather cheap consumer
level as far as i know.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic