> On Sep 14, 2020, at 7:43 AM, Ingo Schwarze <[email protected]> wrote:
>
> Hi Theo,
>
> Theo de Raadt wrote on Mon, Sep 14, 2020 at 04:06:08AM -0600:
>> Ingo Schwarze <[email protected]> wrote:
>
>>> are used for. Some such file systems may permit SUID and/or device
>>> files, so not checking them may be a dubious idea.
>
>> The script could identify mountpoints with safer mount options and
>> reduce scanning on them.
>>
>> That will also encourage admins to use restrictive mount options when
>> possible.
>
> I think that is an interesting idea. That would be the patch below.
> Given that the function find_special_files() looks for SUID, SGID,
> and device files, i suggest this logic: skip a mount point if any
> of the following is true:
>
> - it does not have the "local" mount option
> - or it has both the "nodev" and the "nosuid" mount options
>
> I don't think explicitly matching the parentheses is needed.
> The code below is simpler and possibly even more robust.
>
>
> There is one minor downside. Some people will once get mails similar
> to the following:
>
> Setuid deletions:
> -r-sr-xr-x 2 root ... Mar 29 15:58:55 2020 /co/destdir/base/sbin/ping
> -r-sr-xr-x 2 root ... Mar 29 15:58:55 2020 /co/destdir/base/sbin/ping6
> -r-sr-x--- 1 root ... Mar 29 15:58:56 2020 /co/destdir/base/sbin/shutdown
> ...
>
> Device deletions:
> crw------- 1 ... 79, 0 ... /usr/obj/distrib/amd64/ramdiskA/mr.fs.d/dev/bio
> crw------- 1 ... 23, 0 ... /usr/obj/distrib/amd64/ramdiskA/mr.fs.d/dev/bpf
> ...
>
> Nothing changed on disk, but security(8) now skips some file systems.
> Then again, i don't think a one-time mail is a serious problem.
>
>
> I suspect the "$type" test is obsolete and can be deleted because
> i don't think any of the file system types afs, nnpfs, and procfs
> are supported nowadays, but since that is unrelated, i'm not proposing
> to change that in the same diff. If people agree that should be
> deleted, i'll send a separate diff.
>
>
>> OTOH, Issues complained about a decade late... are often overblown.
>
> Sure, but when somebody has a smart idea (like the one you just brought
> forward), there is nothing wrong with polishing small turds, too.
>
> Opinions, concerns, tests, OKs?
Love the idea; however, the only drawback is if some Bad Person is twiddling
around and leaves a suid or dev around on a file system that is nosuid or
nodev, you lose visibility.
Then again, they own the box... so it’s not really helpful catching the real
Predators.
Maybe an option to always scan regardless of fs options?
> Ingo
>
>
> Index: security
> ===================================================================
> RCS file: /cvs/src/libexec/security/security,v
> retrieving revision 1.38
> diff -u -p -r1.38 security
> --- security 27 Dec 2016 09:17:52 -0000 1.38
> +++ security 14 Sep 2020 11:13:47 -0000
> @@ -540,9 +540,10 @@ sub find_special_files {
> "cannot spawn mount: $!"
> and return;
> while (<$fh>) {
> - my ($path, $type) = /\son\s+(.*?)\s+type\s+(\w+)/;
> + my ($path, $type, $opt) = /\son\s+(.*?)\s+type\s+(\w+)(.*)/;
> $skip{$path} = 1 if $path &&
> - ($type =~ /^(?:a|nnp|proc)fs$/ || !/\(.*local.*\)/);
> + ($type =~ /^(?:a|nnp|proc)fs$/ || $opt !~ /local/ ||
> + ($opt =~ /nodev/ && $opt =~ /nosuid/));
> }
> close_or_nag $fh, "mount" or return;
>
>
