Re: crontab security under openpkg
On Tue, Jan 14, 2003, Ralf S. Engelschall wrote: On Mon, Jan 13, 2003, Bill Campbell wrote: I understand that. My suggestion pertained more to the documentation than the implementation on the grounds that the names are familiar to Unix admins and developers. Yes, you're right, the documentation for these issues is still very bad. There is just a small and confusing paragraph about this in the handbook. Now there's a big and confusing paragraph in the handbook ;-) http://www.openpkg.org/doc/handbook/openpkg.html -- [EMAIL PROTECTED] Development Team, Application Services Cable Wireless Deutschland GmbH msg03691/pgp0.pgp Description: PGP signature
Re: crontab security under openpkg
On Tue, Jan 14, 2003 at 12:39:08PM +0100, Michael Schloh von Bennewitz wrote:
On Tue, Jan 14, 2003, Ralf S. Engelschall wrote:
On Mon, Jan 13, 2003, Bill Campbell wrote:
I understand that. My suggestion pertained more to the documentation than
the implementation on the grounds that the names are familiar to Unix
admins and developers.
Yes, you're right, the documentation for these issues is still very
bad. There is just a small and confusing paragraph about this in the
handbook.
Now there's a big and confusing paragraph in the handbook ;-)
I think the reason this is confusing is that in the present implementation
none of this seems to be implemented. Everything in an openpkg instance is
owned by the manager user and in the manager group.
If the %{l_prefix}/RPM/{PKG,SRC,TMP} build directories were in the
restricted user and group (e.g. developers), perhaps with group write
permissions, then developers would work there. This would require the
manager to install software in the instance, and would prevent developers
from changing installed things in the openpkg instance. It would be left
to the developers to set appropriate permissions in the data areas of their
packages so that their target users could access and write as necessary for
their applications.
This then leaves the ``nobody'' user/group which can be used to control
access to the individual applications in an instance at a fairly high level
(e.g. user is accounting manager, group is people who have working access
to accounting data, but can't change configuration of an accounting
package).
The developer restrictions could then be implemented by changing the %files
in the openpkg.spec file (assuming group read/write and no outside users
accessing the developer area).
%attr(0770,%{l_muser},%{l_rgrp} %dir %{l_prefix}/RPM/SRC
%attr(0770,%{l_muser},%{l_rgrp} %dir %{l_prefix}/RPM/PKG
%dir %{l_prefix}/RPM/DB
%attr(0770,%{l_ruser},%{l_rgrp} %dir %{l_prefix}/RPM/TMP
This might require setting ``umask 007'' for the developers.
This would do much the same thing for developers to restrict accidental or
unauthorized changes to packages that openpkg does to restrict changes to
the system's critical files. It shouldn't change the current behaviour
when the default --user=xxx and --group=xxx is specified, and permits more
control for those who want it. Furthermore, things are less confusing in
the documentation because there are well defined guidelines and procedures
to be documented.
Bill
--
INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/
``The trouble with fighting for human freedom is that one spends most of
one's time defending scoundrels. For it is against scoundrels that
oppressive laws are first aimed, and oppression must be stopped at the
beginning if it is to be stopped at all.'' -- H. L. Mencken
__
The OpenPKG Projectwww.openpkg.org
Developer Communication List [EMAIL PROTECTED]
Re: crontab security under openpkg
In article [EMAIL PROTECTED] you wrote:
Have I done something wrong, or missing something? It seems to me to be a
majority security hole in a system when crontab executes the
%{l_prefix}/etc/rc scripts as root, and that script can then execute other
programs with root priviledges where the rc script and package scripts are
writeable by any user other than root. What's to prevent anyone from
having some something like this in their rc.package file?
...
%start -p 200 -u root
rm -rf /
...
Programs like COPS go to some length to check for programs and scripts run
out of cron with root priviledges to insure that things like this can't
happen.
It seems to me that the only way around this with openpkg (short of writing
some kind of program that checks ownership and writeability of any root
cron scripts) would be to have all the base directories under %{l_prefix}
writeable only by root while the RPM directory has the usual ownership and
permissions.
This would still allow non-root users to build software, but would require
root privileges to install.
The general issue with the four user/group ids in OpenPKG I've now
tried to document at http://www.openpkg.org/faq.html#uid-security
The situation you mention is correct: someone with management user/group
(owner of your OpenPKG instance you specified with --user/--group)
access can reach super user/group access through manipulations of rc
files. But this is similar to the situation of bin and root in your
Unix system. Because even if the rc files and the rc script itself is
owned and writeable only by root, this still does not change any
security here. Because the scripts theirself execute files in your
OpenPKG instance and those are owned by the managment user/group ids,
too. Same for your Unix system: if someone is able to reach bin he
just needs to change some system commands and wait for the next system
cronjob or system reboot. So, you _HAVE_ to treat the OpenPKG management
user/group equal to root when it comes to security.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
The OpenPKG Projectwww.openpkg.org
Developer Communication List [EMAIL PROTECTED]
Re: crontab security under openpkg
On Mon, Jan 13, 2003 at 05:16:58PM +0100, Ralf S. Engelschall wrote:
...
The general issue with the four user/group ids in OpenPKG I've now
tried to document at http://www.openpkg.org/faq.html#uid-security
The situation you mention is correct: someone with management user/group
(owner of your OpenPKG instance you specified with --user/--group)
access can reach super user/group access through manipulations of rc
files. But this is similar to the situation of bin and root in your
Unix system. Because even if the rc files and the rc script itself is
owned and writeable only by root, this still does not change any
security here. Because the scripts theirself execute files in your
OpenPKG instance and those are owned by the managment user/group ids,
too. Same for your Unix system: if someone is able to reach bin he
just needs to change some system commands and wait for the next system
cronjob or system reboot. So, you _HAVE_ to treat the OpenPKG management
user/group equal to root when it comes to security.
May I suggest that this would be a bit clearer with some more meaningful
names, and roles. I'm still not absolutely clear about the use of the
opkg-n user.
opkgThis is the use/group set that would be used by normal users on
the system, and the top level directory would have the
appropriate permissions for their use. As an example, if the
package were accounting related data that should only be
accessible from the accounting group, the top level directory
might have 750 permissions restricting access to people in that
group.
This group would only have write access in the appropriate data
areas necessary to run the software.
opkg-root This is the manager with full read/write permissions throughout
the opkg tree.
opkg-devel Developer access which would have read/write access to
everything under the %{l_prefix}/RPM tree except for
%{l_prefix}/RPM/DB where they would only have read access.
The actual user names should probably be opkgroot and opkgdev to prevent
problems with user names 8 characters long.
Bill
--
INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/
``The best we can hope for concerning the people at large is that they be
properly armed.''
-- Alexander Hamilton, The Federalist Papers at 184-188
__
The OpenPKG Projectwww.openpkg.org
Developer Communication List [EMAIL PROTECTED]
Re: crontab security under openpkg
On Tue, Jan 14, 2003 at 06:59:10AM +0100, Ralf S. Engelschall wrote:
On Mon, Jan 13, 2003, Bill Campbell wrote:
[...]
May I suggest that this would be a bit clearer with some more meaningful
names, and roles. I'm still not absolutely clear about the use of the
opkg-n user.
opkgThis is the use/group set that would be used by normal users on
[...]
opkg-root This is the manager with full read/write permissions throughout
[...]
opkg-devel Developer access which would have read/write access to
[...]
The actual user names should probably be opkgroot and opkgdev to prevent
problems with user names 8 characters long.
Keep in mind that the name, name-n and name-r user/group ids are just
_DEFAULTS_ and were choosen excactly because of the limited length
restrictions on some platforms. You can force the use of _arbitrary_
names by using --{s,m,r,n}{usr,grp}=name on the openpkg-*.src.sh
command line instead of --{user,group}=name. Nothing is hard-coded, so
you can achieve your wish above with --susr=opkg-root --sgrp=opkg-root
--musr=opkg --mgrp=opkg ...
I understand that. My suggestion pertained more to the documentation than
the implementation on the grounds that the names are familiar to Unix
admins and developers.
Bill
--
INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/
``We'll show the world we are prosperous, even if we have to go broke to do
it.''
Will Rogers
__
The OpenPKG Projectwww.openpkg.org
Developer Communication List [EMAIL PROTECTED]
