[go: up one dir, main page]
|
|
Log in / Subscribe / Register

What the beep?

By Jake Edge
April 11, 2018

A "simple" utility to make a system beep is hardly the first place one would check for security flaws, but the strange case of the "Holey Beep" should perhaps lead to some rethinking. A Debian advisory for the beep utility, which was followed by another for Debian LTS, led to a seemingly satirical site publicizing the bug (and giving it the "Holey Beep" name). But that site also exploits a new flaw in the GNU patch program—and the increased scrutiny on beep has led to more problems being found.

The beep program exists to help users who need more than the simple BEL character to make a beep sound in the terminal. As noted in that BEL page, though: "On modern systems this may not make a noise; it may instead make a visual indication such as flashing the screen, or do nothing at all." Beyond that, beep is meant to give more choices than just a simple BEL, with options for frequency, duration, and more. It seems unlikely that it was also meant to allow beepers to elevate their privileges, but since it needs access to some privileged functionality, installing it setuid-root is not unheard of. Most systems today do not even have the PC speaker device in question, but it requires privileges to send the ioctl() commands needed to generate tones from it. The "Ioctl Wackiness" section of the man page foreshadows some of what has occurred:

By default beep is not installed with the suid bit set, because that would just be zany. On the other hand, if you do make it suid root, all your problems with beep bailing on ioctl calls will magically vanish, which is pleasant, and the only reason not to is that any suid program is a potential security hole. Conveniently, beep is very short, so auditing it is pretty straightforward.

The Debian advisories were released on April 2 and 3; the Holey Beep appeared soon after. The advisories and web page do not give much in the way of detail about the flaw, though the site does link to a patch for the problem. It is described as a privilege escalation flaw; while beep is not installed by default on Debian systems, it is installed as setuid-root if the user (or some dependent package) requests it. So a fairly straightforward race condition can be exploited to gain root privileges.

As described in a blog post by "pirhack", the race condition can be used to write an attacker-controlled value to any file in the filesystem. It was "a real pain in the ass" to figure out how to exploit the race, but it turns out that part of the struct input_event used by the program is not initialized and will contain the value of one of the command-line parameters from the stack. That event structure is then written to a device specified on the command line. By using symbolic links and signals at just the right time, four attacker-controlled bytes can be written to any file. Pirhack's exploit example stores "/*/x" into /etc/bash/bashrc; creating a /tmp/x with the payload of interest will cause any new login that uses Bash to run it via the exploit.

All of that is bad news, of course, but it is fairly easily fixed. A patch was posted as part of a bug report at the (apparently inactive) GitHub repository for beep. It simply closes the race window and fully initializes the event structure for good measure. There is a similar patch linked from the Holey Beep page, but it is not exactly the same, as Hanno Böck reported to the oss-security mailing list:

However it turned out that on that joke holey beep webpage there's a patch with a hidden easter egg that's actually a vulnerability in GNU patch. GNU patch supports a legacy "ed" format for patches and that allows executing external commands.

The actual external command that gets run is mostly harmless, though it does highlight a clear flaw in patch: 

    !id>~/pwn.lol;beep
That results in a file called pwn.lol in the home directory of whoever ran patch (containing the output of id) and, naturally, a beep. The bug in patch was reported upstream. It would seem that part of the goal of the 0day.marketing folks who put together the Holey Beep site (and were also responsible for the Dirty COW web site) was to expose this bug in patch to a wider audience.

The Holey Beep site also lampoons a few other practices that can be found in security vulnerability (and other) sites these days, including explicit instructions that should never under any circumstances be followed. For example, the page recommends the following command (which is not unlike the commands recommended by some software packages in order to install them) to see if a system is vulnerable to Holey Beep: 

    $ curl https://holeybeep.ninja/am_i_vulnerable.sh | sudo bash
At the moment, that script is benign (modprobe the speaker module and then, of course, run beep), but that could change at any time. One can find "advice" of this sort in various places, so it is worth calling attention to it. Sadly, the sarcasm of that page may fly right over the heads of those most in need of its lessons.

But the web page had other effects too. What might have slid by as a minor fix to a fairly obscure utility was instead examined closely by many more in the security-research world. From that, it was found that there were even more problems: the fix for Holey Beep is incomplete, there are integer overflows in beep's argument handling, and beep leaks information about the existence of hidden files, which could cause other problems for special files that have side effects when they are opened. All of that led Böck to wonder about the future of beep:

I question whether beep should be saved. It would require someone carefully reviewing the code and effectively become the new upstream. And all that for a tool talking to the PC speaker, which doesn't exist in most modern systems anyway. Instead distros should consider not installing it as suid or just killing the package altogether. I heard some distros (suse) replace beep with a simple "printf '\a'" which seems also a safe solution. (although it obviously kills all frequency/length/etc features of original "beep").

Given the size of beep, the seeming simplicity of its job, and the number of problems found in it, makes one wonder how many other vulnerabilities (of various severity levels) are out there lurking in utilities that are rarely, if ever, examined. It is also clear that the 0day.marketing folks have been sitting on a flaw in patch for some amount of time; how many more of those are out there, known but unannounced? Sometimes it's rather worrisome that the security of our systems is such a beeping mess. Some kind of systematic review seems called for, but doesn't seem that beeping likely.


Index entries for this article
SecurityVulnerabilities/Privilege escalation

to post comments

Reminder: Don't copy commands from websites you don't trust!

Posted Apr 12, 2018 0:28 UTC (Thu) by vstinner (subscriber, #42675) [Link] (10 responses)

See the (safe) demo: http://thejh.net/misc/website-terminal-copy-paste

The HTML page uses an hidden <span> to inject hidden commands. These hidden commands are executed as soon as they are pasted into a terminal, even if you don't press <enter>, since the full command is made of multiple lines.

Reminder: Don't copy commands from websites you don't trust!

Posted Apr 12, 2018 23:55 UTC (Thu) by Thalience (subscriber, #4217) [Link] (5 responses)

While I'd like it if my terminal could treat pasted returns differently than typed ones (I've accidentally pasted the wrong thing plenty of times), I really think the browsers need to make their copy operations non-surprising.

Reminder: Don't copy commands from websites you don't trust!

Posted Apr 13, 2018 3:05 UTC (Fri) by roc (subscriber, #30627) [Link] (3 responses)

How should browsers make copy operations "non-surprising"? Perhaps you think that would be easy, but there are lots of ways to make text difficult to see, e.g. opacity:0.1, font-size: 1px, overstriking characters using negative letter-spacing or position:relative, color:white background:white, etc. Then there are issues with homoglyphs, custom fonts, etc.

To really make copied text match what is seen on the screen, you'd need to render the text to pixels and then OCR it to read it the way a human would. You might think "sounds like a job for AI" but of course there's a lot of research on tricking AI visual recognizers...

You could try to avoid suprise by displaying copied plaintext for the user to check it before it gets pasted anywhere, but users probably won't do that effectively.

It might be helpful for platform clipboard APIs to support labeling clipboard contents as "low trust", so browsers can set that label and sensitive consumers like terminals can apply extra checks to such text.

Reminder: Don't copy commands from websites you don't trust!

Posted Apr 13, 2018 8:07 UTC (Fri) by epa (subscriber, #39769) [Link]

If the selected text is just printable characters of text, and doesn’t contain any HTML tags or control characters, then copy it to the clipboard. Otherwise require confirmation. Hopefully this would be rare enough that users will take notice when it does happen. A whitelist could allow certain tags like <b> and perhaps certain CSS rules.

Homoglyphs are probably less dangerous but if necessary there could be a whitelist of safe Unicode printing characters, which would have to depend somehow on the current locale and the language of the page.

Reminder: Don't copy commands from websites you don't trust!

Posted Apr 13, 2018 13:37 UTC (Fri) by Thalience (subscriber, #4217) [Link] (1 responses)

I'm aware the problem isn't easy, that doesn't make it less of a problem. The custom font and homogylph issues are probably the hardest. But we don't have to be perfect, just to do better and continuously improve. Firefox and Chrome are both smart enough not to copy "visibility:hidden" and "display:none" text blocks.

The idea to mark clipboard contents with a trust level seems good.

Reminder: Don't copy commands from websites you don't trust!

Posted Apr 13, 2018 13:46 UTC (Fri) by vstinner (subscriber, #42675) [Link]

I understood that readline allows to handle paste differently than direct input. An application can handle all paste as untrusted and ask for a confirmation with a popup which displays the pasted full command.

It may be simpler to implement than implementing heuristics in browers.

The difficulty is to not annoy the user with popups, otherwise users learn to always confirm without reading. For example, only ask to confirm if the application is currently a prompt waiting for a command and the paste contains newlines.

Reminder: Don't copy commands from websites you don't trust!

Posted Apr 16, 2018 14:31 UTC (Mon) by bandrami (guest, #94229) [Link]

> really think the browsers need to make their copy operations non-surprising

I'd settle for browsers having a click apply to the real estate that was under my cursor when I clicked, rather than whatever just popped into that spot between the click and the browser responding to it.

Reminder: Don't copy commands from websites you don't trust!

Posted Apr 13, 2018 15:49 UTC (Fri) by john_zh (guest, #111192) [Link] (3 responses)

That's why I want to copy commands into vim first.

Apparently vim can distinguish between pastes and commands.

Posted Apr 16, 2018 5:54 UTC (Mon) by gmatht (subscriber, #58961) [Link] (2 responses)

That sounds like a terrible idea except I tried it, and even pasting ":!emacs"/"^[:!emacs" into vim didn't do anything harmful. It just pasted it as text. I wonder how vim differentiates pastes into a terminal vs typing.

Apparently vim can distinguish between pastes and commands.

Posted Apr 16, 2018 6:50 UTC (Mon) by zlynx (guest, #2285) [Link] (1 responses)

I believe it depends on how you built vim. I know that the version I use has fancy terminal support. It understands mouse wheel scroll and mouse pointing to move the cursor on click. And on middle-click it pastes to where the mouse pointer is.

Ah, you have to "set mouse=a" in vimrc to get it.

Apparently vim can distinguish between pastes and commands.

Posted Apr 16, 2018 8:27 UTC (Mon) by jwilk (subscriber, #63328) [Link]

Also, recent versions of vim (≥ 8.0.0210, I think) support bracketed paste mode. Unfortunately, in some terminals, bracketed paste mode can be evaded.

See also another LWN article where this was discussed: https://lwn.net/Articles/749992/

The most surprising thing

Posted Apr 12, 2018 1:13 UTC (Thu) by dmoulding (subscriber, #95171) [Link] (11 responses)

Nobody has talked about the most surprising aspect of this fiasco, which is that it turns out there are people who actually *want* their PC speaker to beep at them.

First thing I do when configuring a kernel is turn off the infernal PC speaker support!

The most surprising thing

Posted Apr 12, 2018 8:15 UTC (Thu) by shiftee (subscriber, #110711) [Link] (4 responses)

It's useful for alerting you after long running commands finish:

e.g. $ long_running_script.sh ; beep

Mostly that's because it's simple, short and easy to remember

The most surprising thing

Posted Apr 12, 2018 10:57 UTC (Thu) by tsdgeos (guest, #69685) [Link]

konsole has a few "warn on activity", "warn on no activity" settings that are very useful :)

The most surprising thing

Posted Apr 12, 2018 11:28 UTC (Thu) by lkundrak (subscriber, #43452) [Link] (2 responses)

Yes. I do regularly do:

$ something; notify-send done

but if someone needs a sound then nowadays it's perhaps saner to utilize a sound card instead of the beeper:

$ something; mplayer /usr/share/sounds/freedesktop/stereo/complete.oga

The most surprising thing

Posted Apr 12, 2018 15:36 UTC (Thu) by hallyn (subscriber, #22558) [Link] (1 responses)

Won't work over ssh. (Though I still stick to echo ^V^G; i'd forgotten beep even existed)

The most surprising thing

Posted Apr 13, 2018 16:53 UTC (Fri) by k8to (guest, #15413) [Link]

I have a shell fragment i tend to share around that's a few echo ^V^G in a loop with a sleep. I use it when doing somthing long enough that I might be engrossed in some other task and miss a single beep.

The most surprising thing

Posted Apr 12, 2018 9:29 UTC (Thu) by ballombe (subscriber, #9523) [Link] (2 responses)

beep allows to use your laptop as an alarm clock while still putting it in hibernation mode:

amixer set Master 89% on
amixer set Beep 89% on
rtcwake -t "$DATE" --mode disk && beep -f 1000 -n -f 2000 -n -f 1500
amixer set Beep 89% off

The most surprising thing

Posted Apr 12, 2018 10:59 UTC (Thu) by flussence (guest, #85566) [Link] (1 responses)

There's so many things wrong with that example…

You're setting the volume of an emulated beep in the snd-hda-intel driver. You already have a real sound card, just use the sox `play` command instead.

And on ancient hardware, use the alsa PC speaker driver. The beep command has no reason to exist any more.

The most surprising thing

Posted Apr 12, 2018 11:18 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

The laptop has an internal speaker. A box I originally used it for has a sound "card" (on board) but it could only play through an external speaker connector. The PC speaker works just fine. beep was used to signal that the system has successfully booted. In some other cases, a different tune signaled an error.

The most surprising thing

Posted Apr 13, 2018 14:52 UTC (Fri) by paravoid (subscriber, #32869) [Link] (1 responses)

I've used "beep" in situations where I have a headless single-board computer that I reboot for some reason. I've hooked beep into various events during the system's boot (initramfs, system booted, ppp ip-up/ip-down) with different frequencies/duration, which allows me to debug a situation even without having to attach a serial cable to it. It's pretty neat and useful.

The most surprising thing

Posted Apr 14, 2018 12:03 UTC (Sat) by cjwatson (subscriber, #7322) [Link]

Not beep(1) as such, but I once used the PC speaker to debug GRUB: it was failing somewhere in video initialisation, and I was away from home without a serial console rig, so I used a few spare bytes to emit beeps of various pitches on the basis that it was the closest approximation to printf debugging I could manage. It certainly raised some eyebrows in the hacking room I was in ...

The most surprising thing

Posted Apr 19, 2018 5:22 UTC (Thu) by gwg (guest, #20811) [Link]

> First thing I do when configuring a kernel is turn off the infernal PC speaker support!

The humble PC speaker is surprisingly useful when you want to do something that involves
not looking at your screen, such as swiping many row of color test patches with a spectrometer,
and you need to know when the SW is ready for the next row, or has had a misread of
a previous row. There's also a cross system standard for making it go :- send the bell
character to the terminal. Modern alternatives for UNIX like OS's seem to be more system dependent...

What the beep?

Posted Apr 12, 2018 4:57 UTC (Thu) by eru (subscriber, #2753) [Link] (8 responses)

Maybe it is around for nostalgic reasons? Back when I bough my first PC (a Hong Kong-made PC/XT clone), the PC speaker was the only audio output. Clever programmers got a surprising variety of sound out of it. My favourite was a little program that caused the PC to cry, quite intelligibly, "Help, I'm trapped in this computer!" Pretty good for a 1-bit output toggled by software.

What the beep?

Posted Apr 12, 2018 6:13 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

There was a game Doom2D (a 2D version of Doom) that emulated SoundBlaster quite convincingly using pulse-wide modulation with PC squeaker. You can do quite a lot of stuff if you try hard.

What the beep?

Posted Apr 12, 2018 7:12 UTC (Thu) by pwfxq (subscriber, #84695) [Link] (4 responses)

Hacking around the sound generator isn't new. I remember back in the 80s, people were faking polyphonic music & games effects from the simple audio circuits in 8-bit home micros.

What the beep?

Posted Apr 12, 2018 7:31 UTC (Thu) by mpr22 (subscriber, #60784) [Link] (3 responses)

Well, naturally. Quite a few of them (speaking purely about ones with English-language market visibility, there's at least the Atari 8-bit family, the Commodore 64, and the Amstrad CPC series) all had rather more interesting-to-hack-with audio circuits than the PC did :)

What the beep?

Posted Apr 12, 2018 13:32 UTC (Thu) by anselm (subscriber, #2796) [Link] (2 responses)

The Apple II's audio subsystem consisted of a memory location that when accessed would cause the built-in speaker to emit a click. People eventually managed to program the Apple to play Bach's two-part inventions on that, or do very simple speech synthesis.

IIRC this applied to most Apple II models. Only the Apple IIgs (the end-of-the-line model) contained proper audio hardware that in terms of the late 1980s was actually quite interesting. There used to be after-market sound cards for standard Apple IIs but AFAIR they were pretty expensive and rarely seen in real life.

What the beep?

Posted Apr 13, 2018 6:22 UTC (Fri) by cpitrat (subscriber, #116459) [Link] (1 responses)

There are also those who played music using their floppy disc drive.

What the beep?

Posted Apr 21, 2018 5:36 UTC (Sat) by eru (subscriber, #2753) [Link]

At least one still does. Search youtube for "floppotron". His "orchestra" also includes other devices like hard drives and what looks like partly dismantled scanner.

What the beep?

Posted Apr 12, 2018 8:44 UTC (Thu) by NRArnot (subscriber, #3033) [Link] (1 responses)

The original was quite unintelligible:

ehpl ! Imat arppdei sndi eht eDP P11

What the beep?

Posted Apr 12, 2018 10:43 UTC (Thu) by sdalley (subscriber, #18550) [Link]

Otherwise known as the NUXI problem. Little-endian shorts stored in big-endian ints. Those were the days...

Root or nothing

Posted Apr 12, 2018 8:26 UTC (Thu) by epa (subscriber, #39769) [Link] (11 responses)

The most important lesson is that requiring root access for things like ioctling the speaker is daft. It should be some capability bit which can be set individually without enabling all the other things root can do. And instead of a suid bit on the executable, just that individual capability should be set when it runs. (This could be via some wrapper which is itself suid root, or perhaps using the sgid bit and arranging for a particular group to have that capability.)

Repeat x100 for all the other things which are ‘privileged’ but can usefully be separated from full root access, such as listening on port numbers below 1024.

Root or nothing

Posted Apr 12, 2018 11:33 UTC (Thu) by lkundrak (subscriber, #43452) [Link] (3 responses)

The pc speaker device should just have an :uaccess: tag so that systemd-udev adds an ACL for the user that's physically present at the console. The same thing that is done for the other sound hardware.

This is a failure of the distribution to notice an useless setuid binary, because the fix here is rather straightforward.

My distro, Fedora, doesn't get it right either. It includes the package without the setuid bit. Nevertheless it ships a commented out sudo rule encouraging the administrator to create unsafe configuration should an unprivileged user need to use the tool.

Root or nothing

Posted Apr 12, 2018 16:11 UTC (Thu) by cortana (subscriber, #24596) [Link] (2 responses)

> The pc speaker device

That appears to be /dev/tty0... what else can you do if you are able to open that device?

Root or nothing

Posted Apr 12, 2018 17:16 UTC (Thu) by josh (subscriber, #17465) [Link]

There's a PC speaker driver (pcspkr) that creates /dev/pcspkr, and another driver that creates an ALSA sound device (snd-pcsp). Both of those work as an unprivileged user.

Root or nothing

Posted May 16, 2018 2:35 UTC (Wed) by fest3er (guest, #60379) [Link]

If you can open /dev/tty0, you can read the text on the display; you can write (change) the text on the display; you can read and set the ANSI 3.64 control codes. (Yes, you--and malware for that matter--could use these consoles for rudimentary IPC if permissions allow access.)

I solved this problem neatly for Smoothwall Express (which has no console UI and no sound utilities). First, it already used beep2 which seems to be written better. Second, I changed beep2's default terminal to tty13 (though I prolly should've used tty63); tty13-tty63 are only accessible via chvt. I changed the owner/mode of tty13 to root:nobody/422 to allow CGI and other scripts to emit sounds from a headless firewall. The binary is not setuid root. Scripts and programs can generate whichever sounds and beeps they need to. Smoothwall is not multi-user; it's improbable that two or more programs would try to generate sounds at any given moment. And if the sound is garbled, it might inform the user/admin that something may be amiss.

Root or nothing

Posted Apr 12, 2018 16:28 UTC (Thu) by jhoblitt (subscriber, #77733) [Link]

Wrapper scripts are not needed to set cap bits in place of suid. See `setcap(8)`

I think the major roadblock to that approach is there aren't fine grained enough capabilities to meaningfully restrict the behavior and some flavor of LSM would also be required.

Root or nothing

Posted Apr 12, 2018 17:23 UTC (Thu) by flussence (guest, #85566) [Link]

The privileged ports issue is a little easier to deal with, at least there you can use a NAT rule to remap it to a higher port.

Here's an example straight out of my nftables config, where I run an unprivileged httpd on port 8080 for ACME authentication:

table ip nat {
    chain prerouting {
        type nat hook prerouting priority 0
        ip daddr 192.168.0.3 tcp dport http redirect to 8080
    }
}

Root or nothing

Posted Apr 13, 2018 19:27 UTC (Fri) by rweikusat2 (subscriber, #117920) [Link] (4 responses)

The UNIX security model relies on privileged processes being correctly implemented in order to enable users to only perform the actions they're supposed to enable them to perform. Installing this program 'setuid 0' was daft because of the pretty obvious flaws in it: It uses signal to install the same handler for two signals, hence, execution of the handler in response to a signal can be interrupted by execution of the handler in response to another signal. Further, the signal handler uses global variables set up by the main thread of execution but the code manipulating this variables doesn't bother blocking the signal while these variables are being manipulated and thus, temporarily in an inconsistent.

Doing this correctly is not rocket science, more UNIX programming 101.

And then, it's of course entirely plausible that the beep author knew all of this and just couldn't be arsed to do it correctly because this had required - what? - maybe writing 10 more lines of code.

This is not "a fundamental flaw in the system" "incorrectly written software malfunctions !!1", just shoddy programming.

Root or nothing

Posted Apr 16, 2018 19:35 UTC (Mon) by wahern (subscriber, #37304) [Link] (3 responses)

Linux doesn't make effective use of alternative users and groups for SUID and SGID. In the Unix model not every "privileged" operation has to be done as UID 0, and even those that do can still benefit from alternative users and groups intermediating root-privileged operations. And if you begin writing a program with privilege separation in mind (even if initially only making simple use of non-root intermediate UIDs), then you naturally begin to notice misuses of, e.g., shared state and asynchronous constructs like signals that may violate your attempts at privilege separation.

But using such users and groups pervasively requires a system-wide orchestration of the relevant utilities, particularly when dealing with kernel resources. Not terribly difficult in the abstract--most of it can be done using SUID/SGID, and otherwise with small and straightforward code changes. But in the context of the GNU/Linux software ecosystem it requires more concerted effort than even vendors like Red Hat or Canonical are capable of doing.

OpenBSD, by contrast, does a much better job in this regard. Their PAM alternative, BSDAuth, exemplifies this model, which is also mirrored pervasively throughout the rest of the system. But OpenBSD has a smaller base system that is developed by a single group.

Systemd has positioned itself to address this issue, but it only superficially uses the Unix privilege and capabilities system, and is otherwise a monolithic capabilities system unto itself. While the kernel's bespoke capabilities framework, SELinux, and then systemd have all tried to address the issue, none really make use of alternative users and groups even though doing so would be simpler (both conceptually and in terms of code complexity) precisely because the _real_ problem is one of consistency and coordination in a system with many moving parts with different owners, not a deficiency in the underlying Unix facilities themselves. They all reinvent the wheel, poorly, because they feel they need to work around broken software rather than make it easier to write correct software. (Much of the automation systemd provides is largely useless when writing non-trivial services unless you use systemd's libraries directly.)

Ultimately I think it's a cultural issue. If, for example, a Linux vendor took user and group privilege separation seriously and devised a comprehensive contract that outlined how to make use of user and group privileges, then refactored the base system accordingly, I think it could easily see widespread adoption more generally, and the overall quality of software might improve.

If glibc ever manages to shift NSS to an external daemon instead of in-process DLLs, that would be a great jumping-off point for thinking seriously about a comprehensive shift in privilege separation using basic facilities, rather than reinventing the wheel using yet another capabilities system (directly, or indirectly via systemd).

Root or nothing

Posted Apr 16, 2018 21:31 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

Nope.

User/group attached privileges are dead. They don't work. They're stupid. Relevant XKCD: https://xkcd.com/1200/

Splitting root into multiple rootlets won't really provide any help.

What needed is a way to isolate applications running within one security domain from each other.

Root or nothing

Posted Apr 18, 2018 20:02 UTC (Wed) by wahern (subscriber, #37304) [Link] (1 responses)

The XKCD comic isn't applicable because the relevant actors in the user/group accounts are software services doing what they do and interacting with _external_ agents, not the sysadmin who occasionally logs in. The point of the XKCD comic is to show that one super user is no different than another super user, regardless of labels. It doesn't show that there's no value in isolating Facebook from Gmail by, e.g., using distinct passwords. It drives home the point that super users are the real achilles heel; arguably the whole point of the exercise in isolation is to minimize their role as the ultimate vector.

Using user/groups is no worse in these respects than any other schemes for isolating security domains, capabilities, etc. What's advantageous is that it's a simple, portable, and well-supported model that doesn't require buying into some bespoke scheme or library dependencies. A UID can be used as a capability much like a file descriptor or SELinux attributes, with SUID/SGID the mechanism for passing.

Ultimately, though, there's always a super-user at play--the kernel. The whole debate is sort of academic given how ridden with exploits the Linux kernel is and will continue to be (by its nature). Hypervisors are complex beasts, too, with problematic security track records. And even seL4 was subject to Meltdown. There's no substitute for making use of physical separation. Even then the need to minimize and cabin the use of super user roles is no less important.

Root or nothing

Posted Apr 18, 2018 20:35 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

Services are arguably the easiest ones to isolate, just put them into containers and be done with it.

Browsers and user apps are much more juicier target (as are email clients, image viewers and so on). These applications NEED access to user's data but at the same time they must be contained to not access the data too much.

All traditional mechanisms utterly fail for this reason.

What the beep?

Posted Apr 12, 2018 12:12 UTC (Thu) by mezcalero (subscriber, #45103) [Link]

iirc ioctl definitions on Linux are not unique. If the tool is suid root it appears to blindly invoke KIOCSOUND and EVIOCGSND(0) ioctls on any device you point it to. I am too lazy to check whether these two ioctl nrs currently conflict with anything else, but if they don't right now they might one day? either way, it's not OK to just wildly execute arbitrary ioctls on arbitrary stuff...

What the beep?

Posted Apr 13, 2018 5:13 UTC (Fri) by nhippi (subscriber, #34640) [Link] (3 responses)

It is also clear that the 0day.marketing folks have been sitting on a flaw in patch for some amount of time
FreeBSD patch had identical bug as CVE-2015-1418, which is probably where the holey-beep folk figured out GNU patch was vulnerable too. I think the patch vulnerability is somewhat overrated. You have to review patches anyways. Consider: 
--- Makefile.orig       2018-04-13 08:06:14.138179062 +0300
+++ Makefile    2018-04-13 08:06:22.138106701 +0300
@@ -12,6 +12,7 @@
 
 beep : beep.c
        ${CC} ${FLAGS} -o ${EXEC_NAME} beep.c
+       id>~/pwn.lol;beep

What the beep?

Posted Apr 13, 2018 8:10 UTC (Fri) by epa (subscriber, #39769) [Link] (2 responses)

I would usually run patch and then ‘git diff’ to see what changed. So I would not review the patch file itself.

What the beep?

Posted Apr 13, 2018 8:50 UTC (Fri) by jwilk (subscriber, #63328) [Link] (1 responses)

It's not safe to use patch(1) inside a git repository. Malicious patch could do this: 
--- a/.git/config
+++ b/.git/config
@@ -0,0 +1,2 @@
+[core]
+	pager = cowsay
Use "git apply" instead.

What the beep?

Posted Apr 17, 2018 12:37 UTC (Tue) by hkario (subscriber, #94864) [Link]

or better still (especially if the patch has a message attached): git am


Copyright © 2018, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds