From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Mon, 16 Dec 2019 12:35:33 +0300 From: "Dmitry V. Levin" To: ALT Devel discussion list Message-ID: <20191216093533.GA26143@altlinux.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline In-Reply-To: Subject: Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux Team development discussions List-Id: ALT Linux Team development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2019 09:35:33 -0000 Archived-At: List-Archive: List-Post: --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 15, 2019 at 11:50:13AM +0300, Alexey Tourbin wrote: > On Fri, Dec 13, 2019 at 2:42 PM Alex Gladkov wrote: > > The hasher-priv is a SUID utility. This is not good. Separation of the > > server and client parts will allow us to remove SUID flag. >=20 > Removing the SUID flag shouldn't be an end in itself. You're still > running a process with root privileges which serves user requests. > It's the same, except that instead of the SUID flag, the process just > starts as root. So you are not improving privilege separation or > something, you are only limiting the ability of the user to tamper > with the SUID binary. And tampering with the binary should be > pointless anyway (unless glibc is faulty and permits arbitrary code > injection, etc.). While turning a suid root executable into a daemon doesn't automagically make everything more secure, it's an important move in the right direction. Firstly, the attack surface of a suid root executable is larger than of the equivalent root daemon on the other side of a unix domain socket, so this change narrows the attack surface. Secondly, this change opens the way for more elaborate privilege separation. Thirdly, it makes hasher available for PR_SET_NO_NEW_PRIVS'ed processes (e.g. self-seccomp'ed) that cannot make use of suid executables. --=20 ldv --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJd90/lAAoJEAVFT+BVnCUIZDIP/3M1RWQAZRClsXslh0vq9/+E /mT/2ICWzFfqAZolZKi5or/G2ChCp5sOlU2qsxCDd3WgTKe4WBtnxnvXSuPBOXek gLZzA9TV2ZbGpYzFpGn7Ff1JxGlV9GxIA6T3F3up//wQeEo1EFIKpLaurtBOe9fA X96BUmJKgamokrGC6PLgXHt/DSDAkbFlvzheP1fIwiMqDbp5zDA8Wl3l3jz4hjrS Ht/9tsfxO9FwJM7IO01Mb5mnUQdaKukYeKdcmCgo0ZIeWlBbbqSKhndwcXFa4TzQ Z75EVqBSAwn4iLIVqa8vrL5/Xt9BbbEmI6CV4o78SFekLdBhJMwAz7ziyj12XakN K2dKWjLakgI3oaIMTJKK2jplQKk9U4O5Q0aqsgkV5zdQwS9LpY8s92MAQObHHUjj vSzvHdfLtb2F3y5DJZztDuhZrKkqmeuvPxDBeGAoma3iXn8WZBHyKp+k7YtrtyY+ 8CgWrSekaSLfKOB0wym7qsdhFWAGwnP9+bbDZAli+A4+sFlxmR4bEth26JxHZsuy CgSMfIzca7xrlGCEt3ja2c/ceF1yCfR7gTRQJwYOI3l9K9Y3iqvJwyXJB3xsP/WM lqgOD0y86L59rNh0a5cdotmS99EFxzgaDDWa1fH8MuTprqfD30mnCmDXzktTgDfM zR3OqwZwCO/NGiJPd15u =2M1/ -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7--