Tightening security: not for the impatient

It has often been said that memory management patches can take a long time to be accepted into the mainline kernel. Because memory management performance regressions can take years to be discovered, developers in this area have become highly conservative; making memory management changes is not a recommended endeavor for those lacking patience. But there may be an area where progress can be even more glacial, for different reasons. Security-oriented changes are subject to arbitrary delays because tighter security can break programs and irritate users.

Consider the classic symbolic link vulnerability, wherein an attacker fools a privileged program into writing to a file behind an attacker-controlled symbolic link. Such vulnerabilities can be exploited to overwrite files that the attacker would not otherwise have access to. One does not have to dig far into the LWN vulnerability list to see that the identification and patching of symbolic link vulnerabilities is an ongoing process. One might think that, if somebody could come up with a way to eliminate such vulnerabilities altogether, it would be adopted in a hurry.

As it happens, Kees Cook has a way to deal with this class of vulnerabilities. It is based on the observations that symbolic link vulnerabilities almost always involve links placed in /tmp, and that /tmp has the "sticky" bit set in any contemporary distribution. Given that:

In short, this change would make it so that nobody could create symbolic links in /tmp and expect a privileged program to follow them. Lest one think that Kees is taking credit for this concept, he posted a bit of history for this idea, starting with a 1996 Bugtraq message from Zygo Blaxell and a kernel patch by Andrew Tridgell from the same year. This idea, in other words, has been floating around for at least 16 years, but an implementation has never found its way into the mainline kernel. Memory management changes are amazingly fast in comparison.

The reason for the resistance, of course, is that this is a change in filesystem semantics. There are concerns that it would break POSIX compliance, though Kees claims that POSIX is silent on this particular behavior. Also of concern is the possibility of breaking existing applications. Kees responds that any broken applications would be easily noticed (while those suffering from symbolic link vulnerabilities are not), and that no applications relying on existing behavior have ever been found. There have also been disagreements over how the patch should be implemented, but those have seemingly mostly been resolved.

So Kees thinks that his current patch set (a variant of one we have seen before) should be considered for merging, finally. The patches implement the symbolic link restrictions, but also add a new rule for hard links: a hard link to a file can only be created if the user owns the file or has write access to it. Once again, this change eliminates a class of attacks, but at a small cost: older versions of the "at" daemon break unless a small patch is applied. No other problems have been found, Kees says, after 1.5 years of experience with this patch in the Ubuntu kernel.

Whether that is enough evidence to get the changes merged this time around remains to be seen. It has only been 16 years, after all, and one would not want to be too hasty about such a thing.

Meanwhile, Kees has put together a separate security-oriented patch that has run into some concerns of its own. On Linux systems, there is a sysctl knob (suid_dumpable) that controls whether a crashing setuid process generates a core dump or not. Setting it to a non-zero value allows core dumps to happen; setting it to two applies certain restrictions that are intended to make it safe. But, Kees says, that's not the case; it allows a user to create a file called core in almost any directory, containing arbitrary text (environment strings, for example). This capability is not necessarily as harmless as one might think; as the 2006 cron vulnerability shows, some programs will happily pick out the strings they understand in a file full of junk, happily ignoring the rest. Thus, he claims, allowing users to create files in arbitrary locations is asking for trouble.

His response has been through a number of iterations:

• Version 1 disallowed storing core dumps from privileged executables into a file. If the core_pattern knob is set to a pipe, instead, core dumps happen as before. This was seen as an incompatible ABI change, though, and one that would cause surprising results.

• Version 2 added a new setting (3) that would only allow setuid core dumps to a pipe. The previous "safe" setting (2) was deprecated; attempting to set it would fail with an EINVAL error. This version ran into trouble as a result of how it interacted with the sysctl mechanism.

• Version 3 fixed the sysctl difficulties but was opposed by Andrew Morton, who feared that the deprecation of the previous mode would break current systems in surprising ways. He suggested keeping suid_dumpable=2 as a working mode with a warning.

• Version 4 went back to something closer to version 1, but with some loud warnings emitted. But then Eric Biederman asked whether disallowing relative paths would be a sufficient fix.

• Thus, version 5 (the current version, as of this writing), just disallows the writing of setuid core dumps to relative paths. Should core_pattern be set to a relative path ("core", for example), a warning will be logged instead.

Thus far, there has not been much in the way of complaints about the fifth iteration of the patch. So, possibly, it will not be necessary to wait for years until this particular bit of security tightening gets into the mainline kernel. Of course, unlike the system's link behavior, the core dump behavior can be changed now by concerned system administrators—no need to wait at all.

Index entries for this article
Kernel	Security
Kernel	Symbolic links
Security	Linux kernel

---

to post comments

Tightening security: not for the impatient

Posted Jun 28, 2012 14:30 UTC (Thu) by ortalo (guest, #4654) [Link]

Time and patience is one aspect of the issue of course. However, it seems to me that this aspect is also a consequence of design priorities.

Should you pointing these very long delays of elementary improvements lead us to think that reconsidering the priority of security with respect to other issues in the overall development would be desirable?

If that's the case, you have my full support - even though it also seems to me that nowadays the security of user-level programs is becoming the urgent issue.

Tightening security: Time to prioritize it!!

Posted Jun 28, 2012 15:31 UTC (Thu) by david.a.wheeler (subscriber, #72896) [Link] (13 responses)

Congrats to Kees Cook, who patiently managed to get this in.

But the slow pace of getting security-tightening mechanisms into the kernel is embarrassing.

It's absurd to wait until "all applications as libraries are perfect" as a security strategy. We need a "plan B". A kernel cannot prevent all errors from becoming security vulnerabilities, but where the kernel can reasonably prevent them or reduce their effects, it should do so.

We should be making security-tightening measures a high priority, not something that's done as a last resort. We should be searching for those mechanisms, not trying to prevent their inclusion.

Tightening security: Time to prioritize it!!

Posted Jun 29, 2012 14:50 UTC (Fri) by spender (guest, #23067) [Link] (12 responses)

> We should be searching for those mechanisms

For those without horse blinders:
http://www.grsecurity.net/

Kick your shoes off, prop your feet up, and have a margarita or two. Reward yourself for a job well done!

-Brad

Tightening security: Time to prioritize it!!

Posted Jun 29, 2012 19:14 UTC (Fri) by utoddl (guest, #1232) [Link] (8 responses)

Okay, I have no familiarity with grsecurity, but that their entire site seems to be php based made me wince a little.

Tightening security: Time to prioritize it!!

Posted Jun 30, 2012 1:31 UTC (Sat) by spender (guest, #23067) [Link] (7 responses)

I suppose you prefer the OpenBSD camp and their "security through complete lack of features"? What kind of security system would it be if it couldn't withstand running the same software nearly everyone else does?

Regardless, it seems to be working out a lot better for us than whatever kernel.org has been running ;)

It's clear you have no familiarity with grsecurity: having your head in the sand for a decade speaks volumes about your security knowledge.

Not really sure why people like yourself feel the need to reply publicly just to expose your own ignorance to the world.

-Brad

Tightening security: Time to prioritize it!!

Posted Jul 1, 2012 11:52 UTC (Sun) by roblucid (guest, #48964) [Link] (6 responses)

grsecurity has been offered by some distro's and not others, so the original point made in comment was reasonable; it does not have universal acceptance. There are often competing approaches and implementations of ideas, some developers work better with the LKML community than others so tend to have code accepted where others have failed.

The last sentence was not necessary, a personal comment detracting from the technical point point.

Tightening security: Time to prioritize it!!

Posted Jul 1, 2012 12:40 UTC (Sun) by spender (guest, #23067) [Link] (1 responses)

You should look again at the comment I was actually replying to (it seems you paired it up with a different one). If you think *that* idiotic one-liner was "reasonable", more power to you.

-Brad

Tightening security: Time to prioritize it!!

Posted Jul 1, 2012 14:35 UTC (Sun) by man_ls (guest, #15091) [Link]

Granted, the one-liner was a bit misleading; the same comment could have been made for many other things and be equally meaningless. Just for fun:

I have no familiarity with github, but that their entire site seems to be Rails-based made me wince a little.
I have no familiarity with Red Hat, but that their entire distro seems to be Linux-based made me wince a little.
I have no familiarity with eBay, but that their entire site seems to be IIS-based made me wince a little.

(The last one made me wince too, but hey.)

Anyway I think you (Brad Spender) can do better than insult someone in public. This kind of derision tells more about you than about the original poster.

Tightening security: Time to prioritize it!!

Posted Jul 11, 2012 21:21 UTC (Wed) by BenHutchings (subscriber, #37955) [Link] (3 responses)

spender doesn't want distributions to package grsecurity, as its security improvements might be compromised by other patches they apply. I am quite happy to oblige him in this regard.

Tightening security: Time to prioritize it!!

Posted Jul 12, 2012 12:26 UTC (Thu) by spender (guest, #23067) [Link] (2 responses)

Ben seems to be referring to my only public comment on the Debian list regarding packaging grsecurity. For the others reading, here's my comment in its entirety:
http://lists.debian.org/debian-kernel/2012/01/msg01165.html

Anyone is free to do what they want, of course. I just don't recommend the use of such kernels, as over the years I've noticed several things:

1) Our development is very active, yet any 3rd-party packaging has always lagged (often quite badly). In fact just yesterday I had someone on the forums waste my time trying to get help compiling his "grsecurity" kernel that turned out to be a 2 year old Debian source of it.
2) Security isn't obtained by lifting individual features, and you can't just toss some code into a codebase and claim it works as intended just because it applies cleanly. I'll be giving a talk in October at H2HC where in part I'll talk about some security features that were ripped from grsecurity and submitted upstream, then neglected to the point where they no longer do what they claim.
3) When it comes to security features, I argue the same as in Plato's "Ion", that a security researcher with kernel development experience would know best how it should be merged to preserve its integrity. Not a kernel developer lacking security knowledge, and definitely not someone just testing to see if two codebases compile when merged.

I don't think any of the above is unreasonable. BTW, instead of making snide remarks, might your time be better served backporting some more missing security fixes to 3.2? ;)

-Brad

Tightening security: Time to prioritize it!!

Posted Jul 13, 2012 1:36 UTC (Fri) by BenHutchings (subscriber, #37955) [Link] (1 responses)

In fact just yesterday I had someone on the forums waste my time trying to get help compiling his "grsecurity" kernel that turned out to be a 2 year old Debian source of it.

Not an official Debian package, of course.

BTW, instead of making snide remarks, might your time be better served backporting some more missing security fixes to 3.2? ;)

My remark was intended more as a joke that it's very easy to satisfy people who want me (or rather us) not to work on something. Less funny when it has to be explained, I suppose. As for backporting security fixes, I try, but surely you consider me incompetent to do so?

Tightening security: Time to prioritize it!!

Posted Jul 13, 2012 2:45 UTC (Fri) by spender (guest, #23067) [Link]

In that case, sorry -- I shouldn't have assumed. FWIW you do a good job backporting with much attention to detail. My comments were more about merging of security features as opposed to fixes for a particular bug. Features generally require ongoing maintenance and re-evaluation.

-Brad

Tightening security: Time to prioritize it!!

Posted Aug 21, 2012 7:46 UTC (Tue) by reddit (guest, #86331) [Link] (2 responses)

These guys should work on pushing their changes into the mainline kernel.

Which means doing them properly in such a way that they don't impact performance, functionality or compatibility.

Tightening security: Time to prioritize it!!

Posted Aug 21, 2012 10:55 UTC (Tue) by dark (guest, #8483) [Link] (1 responses)

Well, that definition of 'properly' puts security in fourth place. It makes it an afterthought. Something that's nice to have as long as it doesn't impact the important stuff. I don't think it's likely that people who put security in first place are going to do their work that way.

Tightening security: Time to prioritize it!!

Posted Aug 21, 2012 19:34 UTC (Tue) by dlang (guest, #313) [Link]

for people who put security first, ahead of everything else, there is really only one solution

http://www.ranum.com/security/computer_security/papers/a1...

Tightening security: not for the impatient

Posted Jul 3, 2012 22:01 UTC (Tue) by ScottMinster (subscriber, #67541) [Link] (9 responses)

a hard link to a file can only be created if the user owns the file or has write access to it

This doesn't sound too good. Where I work, we have applications that regularly create hard links to files just for reading. The reason we do this is in case the file is replaced by a new version while it is being read. This shouldn't be a problem on most file systems, but NFS has given us trouble in the past, and we're often using NFS filesystems.

The code follows the pattern of link(), open(), and unlink(). The NFS server will keep the unlink'ed file, and more importantly the NFS key (or whatever its called) around so the original file's contents can be read, even if the file is replaced with a new version (through writing to a temporary file and renaming).

While the code is robust enough to fallback on opening the original file instead of a temporary link if it cannot make the link (often happens if the directory itself is not writable), it would be annoying to lose this feature. We've had weird race conditions in the past on NFS without this logic.

Perhaps link() should be allowed to work if the user has read or write access to the file? Making a hard link to a file that cannot be read by the current user does seem to have little purpose.

Tightening security: not for the impatient

Posted Jul 11, 2012 21:30 UTC (Wed) by BenHutchings (subscriber, #37955) [Link] (8 responses)

Perhaps link() should be allowed to work if the user has read or write access to the file? Making a hard link to a file that cannot be read by the current user does seem to have little purpose.

If a setuid executable turns out to be exploitable, the sysadmin will (hopefully) upgrade it to a fixed version quickly. But in some filesystem configurations a malicious user could use hard links to make 'backups' of setuid executables in the expectation that one of them would later turn out to be exploitable. The hard link restrictions prevent this.

Tightening security: not for the impatient

Posted Jul 11, 2012 22:44 UTC (Wed) by nybble41 (subscriber, #55106) [Link] (7 responses)

> ... in some filesystem configurations a malicious user could use hard links to make 'backups' of setuid executables in the expectation that one of them would later turn out to be exploitable.

Some other reasonable workarounds for this issue would be to clear the setuid bit before replacing a setuid executable, to restrict setuid executables to a dedicated filesystem with no non-superuser write access, or to prevent creating links to files with setuid enabled.

Or we could drop setuid entirely and go with something more like PolicyKit, which isn't affected by hard links, thus making the root -> user transition a one-way street.

Tightening security: not for the impatient

Posted Jul 12, 2012 11:06 UTC (Thu) by philomath (guest, #84172) [Link] (6 responses)

Disabling links to suid files seems very reasonable, and will most probably break nothing sane.

Tightening security: not for the impatient

Posted Jul 17, 2012 9:29 UTC (Tue) by nlucas (subscriber, #33793) [Link] (5 responses)

It might break current busybox installations. Multiple suid binaries are linked to the same binary.

But I agree with you that it's a reasonable breakage.

Tightening security: not for the impatient

Posted Jul 17, 2012 15:18 UTC (Tue) by nybble41 (subscriber, #55106) [Link] (4 responses)

That should still work, so long as you create the links _before_ marking the binary as SUID. You could look at the reference count to ensure that there are no "rogue" links at that point. Once it's marked SUID, no new hard links could be created without first clearing the SUID bit.

Tightening security: not for the impatient

Posted Jul 20, 2012 23:41 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (3 responses)

I seem to have run across the problem that hardlinked files all shared the same permissions. Are the tests we ran for that missing something or is it just suid that is special?

Tightening security: not for the impatient

Posted Jul 21, 2012 11:30 UTC (Sat) by anselm (subscriber, #2796) [Link] (2 responses)

Hard-linked files do share the same permissions – permissions are stored on the file's inode and hard links are just extra directory entries that point to the same inode.

Linux will not let you create a hard link to an executable file that is marked suid but doesn't belong to you. Making hard links to a file that you own yourself is fine regardless of whether that file is suid or not, and does not impinge on the suid status of the file.

Tightening security: not for the impatient

Posted Jul 21, 2012 16:55 UTC (Sat) by mathstuf (subscriber, #69389) [Link] (1 responses)

Okay, so why make the binary SUID after hardlinking? Since that makes *every* one of those binaries SUID now. If it's something like toybox, I don't want sed to be SUID even if mount is hardlinked to it. Seems like there's a case for having a separate SUID instance that those programs link to.

Tightening security: not for the impatient

Posted Jul 23, 2012 13:15 UTC (Mon) by nlucas (subscriber, #33793) [Link]

The busybox project is well is aware of that and recomends a different busybox binary for suid and regular binaries.

It's easy enough to build a busybox binary implementing only the suid utils (as is to not include the suid utils on the regular binary).

Tightening security: not for the impatient

Posted Jul 5, 2012 2:18 UTC (Thu) by kevinm (guest, #69913) [Link] (3 responses)

It's correct that the symlink behaviour change doesn't violate POSIX, because it's limited to directories with the sticky bit set and the sticky bit isn't specified by POSIX at all.

The hardlink behaviour change would though, unless it too is limited to directories with the sticky bit set - is that the case?

Tightening security: not for the impatient

Posted Jul 6, 2012 19:49 UTC (Fri) by mfedyk (guest, #55303) [Link] (1 responses)

Since most filesystems do not have a reverse reference from inode to dirents that point to them, you would either have to do a directory tree walk or hope it's already cached in the dcache, which would lead to immeasurable amounts of fun. That, or it would depend on which dirent was used to look up the inode.

No, this hard link change could not be related to directory sticky bit because multiple directories could point to the same inode (hard links).

That said, it would be acceptable IMO if it was activated with a mount option.

Tightening security: not for the impatient

Posted Jul 9, 2012 3:55 UTC (Mon) by kevinm (guest, #69913) [Link]

It's not the director(ies) where the current links are that matter, it's the directory where the new link is being created that should have to be sticky for the new rules to apply.

It even makes sense, because in a sticky directory you can create hardlinks that you can't then remove, but the same isn't true of nonsticky directories.

It's also unambiguous, and the destination directory of the link already has to be looked up to create the link.

Tightening security: not for the impatient

Posted Jul 11, 2012 21:31 UTC (Wed) by BenHutchings (subscriber, #37955) [Link]

POSIX also allows pretty much any operation to be denied due to security policy.