On Monday June 4 2007 03:29:21 am Jan Dvořák wrote: > Robert Connolly wrote: > > The libcap-1.10/doc/capability.notes file says it's more secure for root > > to not own any files on the system. It suggests having a 'system' user, > > who never logs in, owning everything that root would normally own. This > > is true to an extent... > > Okay... Some random daemon running as root without root's fs caps gets > cracked. There is /bin/su owned by root for sure, so he modifies it, > makes it setuid again and then switches to some random uid and runs > /bin/su that does what is required. > > Would that work? How do you defend against this, if it does?
Drop CAP_SETGID and CAP_SETUID too. It would work if /bin/su inherits capabilities, or lack of capabilities. Root would be able to overwrite /bin/su, but wouldn't be able to use even a modified /bin/su to elevate it's capabilities. There are holes in this though. If root has write access on /etc/shadow then the attacker can add a new user, replace root's password, start sshd, login as the new user, and su up to root with full caps. So, root can't own /etc/shadow... /bin/passwd would have to be suid-shadow. I'm not sure what to do with /usr/sbin/useradd... su to the shadow user to add users? or make useradd suid-shadow with only root, and shadow, having execute permission. Either way, a root user without setuid caps wouldn't be able to add new users, or change anyone's password. There are probably more holes. robert
pgp7WLdBKy3Y2.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
