Re: crontab security under openpkg
On Tue, Jan 14, 2003, Ralf S. Engelschall wrote: On Mon, Jan 13, 2003, Bill Campbell wrote: I understand that. My suggestion pertained more to the documentation than the implementation on the grounds that the names are familiar to Unix admins and developers. Yes, you're right, the documentation for these issues is still very bad. There is just a small and confusing paragraph about this in the handbook. Now there's a big and confusing paragraph in the handbook ;-) http://www.openpkg.org/doc/handbook/openpkg.html -- [EMAIL PROTECTED] Development Team, Application Services Cable Wireless Deutschland GmbH msg03691/pgp0.pgp Description: PGP signature
Re: crontab security under openpkg
On Tue, Jan 14, 2003 at 12:39:08PM +0100, Michael Schloh von Bennewitz wrote: On Tue, Jan 14, 2003, Ralf S. Engelschall wrote: On Mon, Jan 13, 2003, Bill Campbell wrote: I understand that. My suggestion pertained more to the documentation than the implementation on the grounds that the names are familiar to Unix admins and developers. Yes, you're right, the documentation for these issues is still very bad. There is just a small and confusing paragraph about this in the handbook. Now there's a big and confusing paragraph in the handbook ;-) I think the reason this is confusing is that in the present implementation none of this seems to be implemented. Everything in an openpkg instance is owned by the manager user and in the manager group. If the %{l_prefix}/RPM/{PKG,SRC,TMP} build directories were in the restricted user and group (e.g. developers), perhaps with group write permissions, then developers would work there. This would require the manager to install software in the instance, and would prevent developers from changing installed things in the openpkg instance. It would be left to the developers to set appropriate permissions in the data areas of their packages so that their target users could access and write as necessary for their applications. This then leaves the ``nobody'' user/group which can be used to control access to the individual applications in an instance at a fairly high level (e.g. user is accounting manager, group is people who have working access to accounting data, but can't change configuration of an accounting package). The developer restrictions could then be implemented by changing the %files in the openpkg.spec file (assuming group read/write and no outside users accessing the developer area). %attr(0770,%{l_muser},%{l_rgrp} %dir %{l_prefix}/RPM/SRC %attr(0770,%{l_muser},%{l_rgrp} %dir %{l_prefix}/RPM/PKG %dir %{l_prefix}/RPM/DB %attr(0770,%{l_ruser},%{l_rgrp} %dir %{l_prefix}/RPM/TMP This might require setting ``umask 007'' for the developers. This would do much the same thing for developers to restrict accidental or unauthorized changes to packages that openpkg does to restrict changes to the system's critical files. It shouldn't change the current behaviour when the default --user=xxx and --group=xxx is specified, and permits more control for those who want it. Furthermore, things are less confusing in the documentation because there are well defined guidelines and procedures to be documented. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.'' -- H. L. Mencken __ The OpenPKG Projectwww.openpkg.org Developer Communication List [EMAIL PROTECTED]
Re: crontab security under openpkg
In article [EMAIL PROTECTED] you wrote: Have I done something wrong, or missing something? It seems to me to be a majority security hole in a system when crontab executes the %{l_prefix}/etc/rc scripts as root, and that script can then execute other programs with root priviledges where the rc script and package scripts are writeable by any user other than root. What's to prevent anyone from having some something like this in their rc.package file? ... %start -p 200 -u root rm -rf / ... Programs like COPS go to some length to check for programs and scripts run out of cron with root priviledges to insure that things like this can't happen. It seems to me that the only way around this with openpkg (short of writing some kind of program that checks ownership and writeability of any root cron scripts) would be to have all the base directories under %{l_prefix} writeable only by root while the RPM directory has the usual ownership and permissions. This would still allow non-root users to build software, but would require root privileges to install. The general issue with the four user/group ids in OpenPKG I've now tried to document at http://www.openpkg.org/faq.html#uid-security The situation you mention is correct: someone with management user/group (owner of your OpenPKG instance you specified with --user/--group) access can reach super user/group access through manipulations of rc files. But this is similar to the situation of bin and root in your Unix system. Because even if the rc files and the rc script itself is owned and writeable only by root, this still does not change any security here. Because the scripts theirself execute files in your OpenPKG instance and those are owned by the managment user/group ids, too. Same for your Unix system: if someone is able to reach bin he just needs to change some system commands and wait for the next system cronjob or system reboot. So, you _HAVE_ to treat the OpenPKG management user/group equal to root when it comes to security. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ The OpenPKG Projectwww.openpkg.org Developer Communication List [EMAIL PROTECTED]
Re: crontab security under openpkg
On Mon, Jan 13, 2003 at 05:16:58PM +0100, Ralf S. Engelschall wrote: ... The general issue with the four user/group ids in OpenPKG I've now tried to document at http://www.openpkg.org/faq.html#uid-security The situation you mention is correct: someone with management user/group (owner of your OpenPKG instance you specified with --user/--group) access can reach super user/group access through manipulations of rc files. But this is similar to the situation of bin and root in your Unix system. Because even if the rc files and the rc script itself is owned and writeable only by root, this still does not change any security here. Because the scripts theirself execute files in your OpenPKG instance and those are owned by the managment user/group ids, too. Same for your Unix system: if someone is able to reach bin he just needs to change some system commands and wait for the next system cronjob or system reboot. So, you _HAVE_ to treat the OpenPKG management user/group equal to root when it comes to security. May I suggest that this would be a bit clearer with some more meaningful names, and roles. I'm still not absolutely clear about the use of the opkg-n user. opkgThis is the use/group set that would be used by normal users on the system, and the top level directory would have the appropriate permissions for their use. As an example, if the package were accounting related data that should only be accessible from the accounting group, the top level directory might have 750 permissions restricting access to people in that group. This group would only have write access in the appropriate data areas necessary to run the software. opkg-root This is the manager with full read/write permissions throughout the opkg tree. opkg-devel Developer access which would have read/write access to everything under the %{l_prefix}/RPM tree except for %{l_prefix}/RPM/DB where they would only have read access. The actual user names should probably be opkgroot and opkgdev to prevent problems with user names 8 characters long. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The best we can hope for concerning the people at large is that they be properly armed.'' -- Alexander Hamilton, The Federalist Papers at 184-188 __ The OpenPKG Projectwww.openpkg.org Developer Communication List [EMAIL PROTECTED]
Re: crontab security under openpkg
On Tue, Jan 14, 2003 at 06:59:10AM +0100, Ralf S. Engelschall wrote: On Mon, Jan 13, 2003, Bill Campbell wrote: [...] May I suggest that this would be a bit clearer with some more meaningful names, and roles. I'm still not absolutely clear about the use of the opkg-n user. opkgThis is the use/group set that would be used by normal users on [...] opkg-root This is the manager with full read/write permissions throughout [...] opkg-devel Developer access which would have read/write access to [...] The actual user names should probably be opkgroot and opkgdev to prevent problems with user names 8 characters long. Keep in mind that the name, name-n and name-r user/group ids are just _DEFAULTS_ and were choosen excactly because of the limited length restrictions on some platforms. You can force the use of _arbitrary_ names by using --{s,m,r,n}{usr,grp}=name on the openpkg-*.src.sh command line instead of --{user,group}=name. Nothing is hard-coded, so you can achieve your wish above with --susr=opkg-root --sgrp=opkg-root --musr=opkg --mgrp=opkg ... I understand that. My suggestion pertained more to the documentation than the implementation on the grounds that the names are familiar to Unix admins and developers. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``We'll show the world we are prosperous, even if we have to go broke to do it.'' Will Rogers __ The OpenPKG Projectwww.openpkg.org Developer Communication List [EMAIL PROTECTED]