From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ldv@altlinux.org>
Date: Mon, 16 Dec 2019 12:35:33 +0300
From: "Dmitry V. Levin" <ldv@altlinux.org>
To: ALT Devel discussion list <devel@lists.altlinux.org>
Message-ID: <20191216093533.GA26143@altlinux.org>
References: <cover.1576183643.git.legion@altlinux.org>
 <CA+qzennvG7s_EJCi_ZXYuzK2Yf-nxb1SmchsbUyz44c+ffrmww@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7"
Content-Disposition: inline
In-Reply-To: <CA+qzennvG7s_EJCi_ZXYuzK2Yf-nxb1SmchsbUyz44c+ffrmww@mail.gmail.com>
Subject: Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the
 hasher-priv
X-BeenThere: devel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux Team development discussions <devel@lists.altlinux.org>
List-Id: ALT Linux Team development discussions <devel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel>,
 <mailto:devel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel>
List-Post: <mailto:devel@lists.altlinux.org>
List-Help: <mailto:devel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel>,
 <mailto:devel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Dec 2019 09:35:33 -0000
Archived-At: <http://lore.altlinux.org/devel/20191216093533.GA26143@altlinux.org/>
List-Archive: <http://lore.altlinux.org/devel/>
List-Post: <mailto:devel@altlinux.org>


--fdj2RfSjLxBAspz7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Dec 15, 2019 at 11:50:13AM +0300, Alexey Tourbin wrote:
> On Fri, Dec 13, 2019 at 2:42 PM Alex Gladkov <legion@altlinux.ru> wrote:
> > The hasher-priv is a SUID utility. This is not good. Separation of the
> > server and client parts will allow us to remove SUID flag.
>=20
> Removing the SUID flag shouldn't be an end in itself. You're still
> running a process with root privileges which serves user requests.
> It's the same, except that instead of the SUID flag, the process just
> starts as root.  So you are not improving privilege separation or
> something, you are only limiting the ability of the user to tamper
> with the SUID binary. And tampering with the binary should be
> pointless anyway (unless glibc is faulty and permits arbitrary code
> injection, etc.).

While turning a suid root executable into a daemon doesn't automagically
make everything more secure, it's an important move in the right direction.

Firstly, the attack surface of a suid root executable is larger than
of the equivalent root daemon on the other side of a unix domain socket,
so this change narrows the attack surface.

Secondly, this change opens the way for more elaborate privilege separation.

Thirdly, it makes hasher available for PR_SET_NO_NEW_PRIVS'ed
processes (e.g. self-seccomp'ed) that cannot make use of suid executables.


--=20
ldv

--fdj2RfSjLxBAspz7
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJd90/lAAoJEAVFT+BVnCUIZDIP/3M1RWQAZRClsXslh0vq9/+E
/mT/2ICWzFfqAZolZKi5or/G2ChCp5sOlU2qsxCDd3WgTKe4WBtnxnvXSuPBOXek
gLZzA9TV2ZbGpYzFpGn7Ff1JxGlV9GxIA6T3F3up//wQeEo1EFIKpLaurtBOe9fA
X96BUmJKgamokrGC6PLgXHt/DSDAkbFlvzheP1fIwiMqDbp5zDA8Wl3l3jz4hjrS
Ht/9tsfxO9FwJM7IO01Mb5mnUQdaKukYeKdcmCgo0ZIeWlBbbqSKhndwcXFa4TzQ
Z75EVqBSAwn4iLIVqa8vrL5/Xt9BbbEmI6CV4o78SFekLdBhJMwAz7ziyj12XakN
K2dKWjLakgI3oaIMTJKK2jplQKk9U4O5Q0aqsgkV5zdQwS9LpY8s92MAQObHHUjj
vSzvHdfLtb2F3y5DJZztDuhZrKkqmeuvPxDBeGAoma3iXn8WZBHyKp+k7YtrtyY+
8CgWrSekaSLfKOB0wym7qsdhFWAGwnP9+bbDZAli+A4+sFlxmR4bEth26JxHZsuy
CgSMfIzca7xrlGCEt3ja2c/ceF1yCfR7gTRQJwYOI3l9K9Y3iqvJwyXJB3xsP/WM
lqgOD0y86L59rNh0a5cdotmS99EFxzgaDDWa1fH8MuTprqfD30mnCmDXzktTgDfM
zR3OqwZwCO/NGiJPd15u
=2M1/
-----END PGP SIGNATURE-----

--fdj2RfSjLxBAspz7--