Re: moko running everything as root
On Wed, Jun 18, 2008 at 6:24 PM, Kevin Dean [EMAIL PROTECTED] wrote: On Wed, Jun 18, 2008 at 4:26 PM, Knight Walker [EMAIL PROTECTED] wrote: The root/user separation is the most fundamental part of a security policy and here is why. Root is by its nature not only unrestricted but unrestrictable (I think I just made up a new word). A non-root user can only destroy the data that user owns. Now while the conventional desktop, user johndoe owns all his MP3s and pr0n and thus can delete and otherwise destroy them; on the Moko platform, the extensive use of DBus makes destruction of the most important part more difficult. What I'm saying is that (Where possible) a daemon holds the important data (PIM data, calendar data, etc) and is capable of restricting what the user can do with it. The user account communicates with this daemon (via DBus or whatever) and gets the data the user wants while protecting the same. Both being normal users, they are not allowed to step on each other, but if the user is root, then someone with malicious intents can exploit that user account to step on the guardian account, either causing a DoS (crash) or actually manipulating/destroying data. Actually, I think you've just sold me. I'm thinking about Openmoko a lot like I think of a desktop system (having looked at the way the data is on Om currently) that holds everything is a file and while it may be true, from an action perspective passing information through a non-root, non-user daemon exposes that information to the user in a way that's more than simply dealing with a file. That's the goal of the ASU/zhone and it's a management case I wasn't even thinking of. Tradition bit me in the ass, thanks for spelling that one out for me, I like it a lot. :) Hmm, are we talking about one unix login name per app? Not unlike what you do for mysql, etc. Some good advantages: 1. Applications can't hurt each other, or the system 2. Backing up an app is simple: tar czvf /tmp/app.tar.gz /home/app Really useful when doing software dev. Just copy the folder to one with another name, chmod -R 000 it. 3. An unusually transparent way to figure out whan an app is storing. Maybe they could have their homes somewhere less anthropological? Such as /usr/share/apps/foo? Where the permissions are set up the same (read-only for everyone, except the owning user?) The real user of the phone can use sudo to get to what they need. -- H. Lally Singh Ph.D. Candidate, Computer Science Virginia Tech ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
When I think about it, I realize that it is important that the device is secure to use on a network. Someday the Openmoko devices will support stuff like flash, java, java script and much more. When this device connects to the Internet, and the client on the device runs as an unprivileged user, the security risks are dramatically reduced. The users data can be devided into two categories: normal and sensitive. The sensitive data can be protected in some way (only accessable to the superuser or on an encrypted place). What about the 4 users model: root: - only for root stuff superuser: - for accessing sensitive/personal data - may be encrypted normal: - the normal user mode nobody: - restricted - cannot run sudo - can not do any harm to the system - no direct hardware access - can not access sensitive data - should be used for untrusted things (games network) If the device owner wants less security, it is just to log in as superuser or even root. With this kind of setup, the freedom of choice belongs to the user. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
On Mon, 2008-06-16 at 14:41 -0400, Kevin Dean wrote: You dispute that the user data is the most important part of the mobile device experience? No one (that I've seen thus far) is arguing that the user data is not the most irreplaceable (and to the user, important) part of a mobile device. What most everyone seems to be arguing is that running EVERYTHING as root for convenience is opening us up to a world of possibilities, all of them bad. My previous e-mail has been clear - I WANT security on the device. However, I simply don't beleive that the root/user seperation is the most important consideration in that regard. You tossed out some great security ideas, onces I'd personally put time into doing on my own device, but with all due respect, you're saying my statements are nonsense and then offering solutions that (while they work) aren't what I was saying. Protecting user data is key so encryption and a built-in, fully automated backup system is somethign I think would be a GREAT thing to have. But it doesn't refute my point at all - a non-root user can destroy the most critical part of the system and doesn't need root to do it. Implimenting a root/user seperation itself doesn't mitigate this risk. I agree that this risk needs to be mitigated, I simply don't believe that the root/user split does much to lessen the risks. The root/user separation is the most fundamental part of a security policy and here is why. Root is by its nature not only unrestricted but unrestrictable (I think I just made up a new word). A non-root user can only destroy the data that user owns. Now while the conventional desktop, user johndoe owns all his MP3s and pr0n and thus can delete and otherwise destroy them; on the Moko platform, the extensive use of DBus makes destruction of the most important part more difficult. What I'm saying is that (Where possible) a daemon holds the important data (PIM data, calendar data, etc) and is capable of restricting what the user can do with it. The user account communicates with this daemon (via DBus or whatever) and gets the data the user wants while protecting the same. Both being normal users, they are not allowed to step on each other, but if the user is root, then someone with malicious intents can exploit that user account to step on the guardian account, either causing a DoS (crash) or actually manipulating/destroying data. I guess what I'm actually saying is that moving from an unrestricted account (root) to a restricted account (user) won't automagically buy us protection from all data-loss possibilities, but the mindset of moving to a normal user account is a core principle of a real security architecture. Ideally, something like an SELinux policy would be able to restrict capabilities without requiring different user accounts to do it (e.g. anything running as browser_r cannot talk to anything running as sms_r even though they're the same user). And if you're worried about deleting random data, a fairly simple chown/chmod will protect against that. That stuff doesn't work if the user you're guarding against is root. That's correct if the data is encrypted but encryption isn't what's being tossed around here. If all your data is stored in the clear, and an intruder has physical access to the device, the distinctions between root and non-root user don't matter. That's what I'm saying. That also depends on how long the malicious user has physical access and how fast the malicious user works. If the malicious user has only a few minutes and isn't proficient in cracking OM devices, the changes of damage are less. If the user can't keep good physical control of the device, then yes, they'll get pwn3d eventually, but no one I know of is that careless with their phones anymore. Even the non-geeky don't let their phones out of their sight for more than a few minutes. Now I'm not saying that such careless users don't exist, just that physical access and the root/user differentiation are not the same problem, and one should not override the other. Encryption is another matter, and one I will want addressed before too long. I've got some ideas on how it can be done, but I'll need to see more of the OM system live before I can begin to decide if my ideas are feasible or if they need changing. -KW ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
Knight Walker wrote: Encryption is another matter, and one I will want addressed before too long. I've got some ideas on how it can be done, but I'll need to see more of the OM system live before I can begin to decide if my ideas are feasible or if they need changing. -KW Encryption is of interest to all and it would be very usefull to start some threads about that once the devices start to trickle out. I agree. Rob ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
On Wed, Jun 18, 2008 at 4:26 PM, Knight Walker [EMAIL PROTECTED] wrote: The root/user separation is the most fundamental part of a security policy and here is why. Root is by its nature not only unrestricted but unrestrictable (I think I just made up a new word). A non-root user can only destroy the data that user owns. Now while the conventional desktop, user johndoe owns all his MP3s and pr0n and thus can delete and otherwise destroy them; on the Moko platform, the extensive use of DBus makes destruction of the most important part more difficult. What I'm saying is that (Where possible) a daemon holds the important data (PIM data, calendar data, etc) and is capable of restricting what the user can do with it. The user account communicates with this daemon (via DBus or whatever) and gets the data the user wants while protecting the same. Both being normal users, they are not allowed to step on each other, but if the user is root, then someone with malicious intents can exploit that user account to step on the guardian account, either causing a DoS (crash) or actually manipulating/destroying data. Actually, I think you've just sold me. I'm thinking about Openmoko a lot like I think of a desktop system (having looked at the way the data is on Om currently) that holds everything is a file and while it may be true, from an action perspective passing information through a non-root, non-user daemon exposes that information to the user in a way that's more than simply dealing with a file. That's the goal of the ASU/zhone and it's a management case I wasn't even thinking of. Tradition bit me in the ass, thanks for spelling that one out for me, I like it a lot. :) I guess what I'm actually saying is that moving from an unrestricted account (root) to a restricted account (user) won't automagically buy us protection from all data-loss possibilities, but the mindset of moving to a normal user account is a core principle of a real security architecture. Ideally, something like an SELinux policy would be able to restrict capabilities without requiring different user accounts to do it (e.g. anything running as browser_r cannot talk to anything running as sms_r even though they're the same user). And if you're worried about deleting random data, a fairly simple chown/chmod will protect against that. That stuff doesn't work if the user you're guarding against is root. That's correct if the data is encrypted but encryption isn't what's being tossed around here. If all your data is stored in the clear, and an intruder has physical access to the device, the distinctions between root and non-root user don't matter. That's what I'm saying. That also depends on how long the malicious user has physical access and how fast the malicious user works. If the malicious user has only a few minutes and isn't proficient in cracking OM devices, the changes of damage are less. If the user can't keep good physical control of the device, then yes, they'll get pwn3d eventually, but no one I know of is that careless with their phones anymore. Even the non-geeky don't let their phones out of their sight for more than a few minutes. Now I'm not saying that such careless users don't exist, just that physical access and the root/user differentiation are not the same problem, and one should not override the other. Encryption is another matter, and one I will want addressed before too long. I've got some ideas on how it can be done, but I'll need to see more of the OM system live before I can begin to decide if my ideas are feasible or if they need changing. -KW ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
On Sat, Jun 14, 2008 at 01:09:03AM +0200, Flemming Richter Mikkelsen wrote: What are the engineering reasons for this? The reason is that the user normally wants to run a lot of root applications such as rdate, power off, opkg, etc. Of course this should be solved, but it should not be a top priority. Personally, I want to use my Freerunner as a satellite device for my own set of personal and corporate data, via a secured network of some sort. For me, that means I need to be able to trust the Freerunner, and if so many 'user' apps run as root, then I can't trust that. Perhaps even worst than data destruction would be data pilfering; think 'identity theft' and 'fraud' for a start. The moment that you connect a device to anything resembling a network, you can no longer consider the device to be 'single user'. Regards, Msquared... ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
Francesco Albanese wrote: As I already pointed out, re-establishing the correct privilege isolation is a fundamental step to enforce security, even though the phone will have only 1 user. In the future we should have a few root process, dedicated accounts for daemons and a X session belonging to the user. IMHO it could be a good idea to suppress root account and to take full advantage of PAM+SUDO facility. F.A. 100% agreed. The moko isn't a phone ... it's a smart phone. This needs to be done right from the start if possible. Rob ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
Kevin Dean wrote: the om represents a device more powerfull than the computer linux was developed on. i am not sure i understand you correctly, but for me it sounds like you saying user/group separation is meaningfull for servers only (and only because physical access can be prevented), for end user computers, laptops specifically, it is a waste. if so, you are pretty much alone with this understanding. what bothers me: as far as i understand the vast majority of applications is ported from existing linux distributions or just recompiled -- so, why would one disable the user/group principle the apps obey on their native platform? ubuntu for one works rather well with that wheel/sudo way and even on non-ubuntu systems users are able to run a lot of root applications such as rdate, power off, opkg, etc. w/o beeing root all the time. ___ I agree with this. The power of Linux is that we have NEVER developed a culture of bad habits like in Windows world. Their EXACT problem is they trained their users to be lazy and stupid. Linux users are FORCED to learn about security even at a bare minimum level and thus develop very good habits. Thus, no matter what MS now tries, they are stuck dealing with an BADLY trained population while even with the success of things like Ubuntu you have noobs basically learning NOT to run as root. It's about culture not EASE OF USE. Rob ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
Kevin Dean wrote: I understand how and why permission seperations exist. :) What I'm saying is that if we sit back and evaluate how this device is going to be used in the vast majority of cases, you'll realize that unlike a desktop or server system, the data that a non-root user can delete is as bad, or perhaps even WORSE than destroying the system integrity itself. Famous last words buddy boy. C'mon people, do you not realize that the moko carries more processing power than most desktop computers up to what, 1997? Are you seriously thinking that the Windows 98 way of thinking with THAT MUCH power is sensible? Is everyone this delusional? C'mon people, in the age where people are loosing laptops with gigs of sensitive data, WE NEED MORE security measures not less. We need proper linux security implemention, we need encrypted home direrctories and who knows what else we will have to get working. Certainly we have already talked about the idea of a blackberry style proxy server, a policies framework (i'd like to see this via actually running kde4 on this device but thats a topic for another cpu), lockdown and talkbalk mechanism, etc. The problem here isn't WHAT YOU want the device to be. The problem here is WHAT WE ALL want the device to be. Please remember that when they hardware becomes powerful enough, the essential difference in utility then falls on software. If you want a phone only, you should be able to get a software profile that gets you that. If you want a laptop in a pocket you should be able to get a profile for that. The solution to the problem effectively is profiles via a centralized/decentralized policies framework. Those that want a phone and everything running as root should be FORCED to make that decision manually so that when things go wrong THEY GET BLAMED and not the community. For the rest of us, we will enjoy feature creep and an ever greater ability to do on the cel what we normally do on the laptop. In the mean time I'm just glad to get an open device, our exposer is minimal in this run. I just hope this changes down the road as no technical reasons seem to be popping up to justify this. Rob ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
Kevin Dean wrote: In the mobile world, there is NOTHING more important than the user's data. Nothing. And in the mobile world, you can impliment root priv seperations till the cows come home, but it doesn't eliminate the fact that the most vulnerable part of the system is being put at risk still. This is nonsense. Encrypt the data and have it backed up via policy/service/etc. You cannot separate security from a device this powerful. Hell you cannot separate security from even crappy devices. Hell we now live in an age where frickin printers come with full webservers with ssh/ftp/telnet and are now a security risk as much as any desktop. Despite the common belief, PHYSICAL access to a device DOES NOT GUARANTEE physical access to data. A good enough key with a proper authentication scheme will keep the frickin NSA busy for 10's of thousands of years. Let's not kid our selves. Security is of the utmost importance ESPECIALLY IN A WIRELESS WORLD. If you think Bluejacking was nothing, just wait until you start owning these puppies during a walk by - hell, I have plans for making a carrying bag with a full spectrume of equipment and antennas that does nothing BUT sniff out wireless devices in an attempt to own them just for fun. How long do you think an root priviledged device like this would last under such circumstances? The world is getting MORE HAZARDOUS not less, with the full power of laptops only 10 years old or less in our pockets how can anyone think this is not a serious consideration? Rob ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
Joerg Reisenweber wrote: If you have root AND user, root can make a backup copy of user's valuable data every once in a while, and user or the virus she imported while browsing the web can NOT destroy this backup. I can't follow your arguments. It's NOT an evil person we need to fence in, it's bad behaviour of applications that go nuts on (virus|bug|user fault|*) If we don't start to care about this topic NOW, we will see lots of poor designed apps that rely on having root access where they shouldn't, and we end up in a situation like M$, where the whole system is so much root-centric that you simply can't switch to a sane user-management anymore, because it would break half the system. To fix those apps later is a major PITA. I just talked to Wolfgang Spraul and he answered But right now we are selling to hardcore developers only, so it's not our #1 priority. Once our software becomes more stable and mature, this needs to be addressed seriously. The good news is that the FOSS community is pretty paranoid about this, so I'm sure over time we will have a good solution. It's a FOSS project and you are the community, so just contribute! I'd say, do it *now*, as long as it's easy. cheers jOERG Hear hear. I would be willing to sacrifice any future features in favour of working on this first. As I think about the implications of this more and more its clear: Linux wins the security war not because of technology BUT BECAUSE OF OUR CULTURE. It is the culture of our users that makes us safer. Hell, even Ubuntu is able to get noobs to follow the simplest security measures such as not running as root, surely we can do the same. I say let's learn from the mistake of M$ and lets out think then because we sure as hell aren't going to outcompete them. Rob ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
I don't read through the whole thread (i'm short on time, sorry), but having users would be part of a good security in depth structure. You talk about compromittingdata, but never thing ofotehr thinks. For example: i have acess for some seconds to the phone. runnign as root, i change the dns to point to evil.com, which simply mirrors anotehr dns, with the little addition that bank.com goes to evil-phishing-copy-of-my-bank.com, and nowing the phone's owner, i probably know his bank. Other use case: i go to starbucks, someone accesses my phone, and opens a simple two-way ssh tunnel to evil.com. Then, when the moko islogged in the fortune-500 company this guy works for, the bad guy logs in through this ssh-tunnel (going through gprs), and is behind the firewalls, ids, etc, all undetected. You want more use cases? On Mon, Jun 16, 2008 at 6:26 PM, Robert Taylor [EMAIL PROTECTED] wrote: Joerg Reisenweber wrote: If you have root AND user, root can make a backup copy of user's valuable data every once in a while, and user or the virus she imported while browsing the web can NOT destroy this backup. I can't follow your arguments. It's NOT an evil person we need to fence in, it's bad behaviour of applications that go nuts on (virus|bug|user fault|*) If we don't start to care about this topic NOW, we will see lots of poor designed apps that rely on having root access where they shouldn't, and we end up in a situation like M$, where the whole system is so much root-centric that you simply can't switch to a sane user-management anymore, because it would break half the system. To fix those apps later is a major PITA. I just talked to Wolfgang Spraul and he answered But right now we are selling to hardcore developers only, so it's not our #1 priority. Once our software becomes more stable and mature, this needs to be addressed seriously. The good news is that the FOSS community is pretty paranoid about this, so I'm sure over time we will have a good solution. It's a FOSS project and you are the community, so just contribute! I'd say, do it *now*, as long as it's easy. cheers jOERG Hear hear. I would be willing to sacrifice any future features in favour of working on this first. As I think about the implications of this more and more its clear: Linux wins the security war not because of technology BUT BECAUSE OF OUR CULTURE. It is the culture of our users that makes us safer. Hell, even Ubuntu is able to get noobs to follow the simplest security measures such as not running as root, surely we can do the same. I say let's learn from the mistake of M$ and lets out think then because we sure as hell aren't going to outcompete them. Rob ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community -- George Carlin - Frisbeetarianism is the belief that when you die, your soul goes up on the roof and gets stu... ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
On Mon, Jun 16, 2008 at 12:23 PM, Robert Taylor [EMAIL PROTECTED] wrote: Kevin Dean wrote: In the mobile world, there is NOTHING more important than the user's data. Nothing. And in the mobile world, you can impliment root priv seperations till the cows come home, but it doesn't eliminate the fact that the most vulnerable part of the system is being put at risk still. This is nonsense. You dispute that the user data is the most important part of the mobile device experience? Encrypt the data and have it backed up via policy/service/etc. My previous e-mail has been clear - I WANT security on the device. However, I simply don't beleive that the root/user seperation is the most important consideration in that regard. You tossed out some great security ideas, onces I'd personally put time into doing on my own device, but with all due respect, you're saying my statements are nonsense and then offering solutions that (while they work) aren't what I was saying. Protecting user data is key so encryption and a built-in, fully automated backup system is somethign I think would be a GREAT thing to have. But it doesn't refute my point at all - a non-root user can destroy the most critical part of the system and doesn't need root to do it. Implimenting a root/user seperation itself doesn't mitigate this risk. I agree that this risk needs to be mitigated, I simply don't believe that the root/user split does much to lessen the risks. You cannot separate security from a device this powerful. Hell you cannot separate security from even crappy devices. Hell we now live in an age where frickin printers come with full webservers with ssh/ftp/telnet and are now a security risk as much as any desktop. Despite the common belief, PHYSICAL access to a device DOES NOT GUARANTEE physical access to data. That's correct if the data is encrypted but encryption isn't what's being tossed around here. If all your data is stored in the clear, and an intruder has physical access to the device, the distinctions between root and non-root user don't matter. That's what I'm saying. A good enough key with a proper authentication scheme will keep the frickin NSA busy for 10's of thousands of years. Let's not kid our selves. Security is of the utmost importance ESPECIALLY IN A WIRELESS WORLD. I agree. If you think Bluejacking was nothing, just wait until you start owning these puppies during a walk by - hell, I have plans for making a carrying bag with a full spectrume of equipment and antennas that does nothing BUT sniff out wireless devices in an attempt to own them just for fun. How long do you think an root priviledged device like this would last under such circumstances? The world is getting MORE HAZARDOUS not less, with the full power of laptops only 10 years old or less in our pockets how can anyone think this is not a serious consideration? Rob ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
User John running sudo rm -rf /* is better than root running rm -rf /* because...? Because sudo can be configured to accept users in certain groups to run certain commands with or without a password. rm can be restricted, whereas opkg can be permitted without password. IMO, running everything as root introduces a whole world of possible exploitations without any real benefits. --mikael ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
As I already pointed out, re-establishing the correct privilege isolation is a fundamental step to enforce security, even though the phone will have only 1 user. In the future we should have a few root process, dedicated accounts for daemons and a X session belonging to the user. IMHO it could be a good idea to suppress root account and to take full advantage of PAM+SUDO facility. F.A. On Fri, Jun 13, 2008 at 11:29 PM, Robert Taylor [EMAIL PROTECTED] wrote: Peter Nijs wrote: no problems. what i don't want is people to get their hopes up. this was in the context of people asking if they can play vga video and me going good luck!. there is reality - and you can sit and hack away spend lots of time and get 1 case to work, and work well. as i said - it will depend on codec, bitrate, quality etc. mpeg4 decode in hw is great - but remember it is also limiting to just mp4 - all your mpeg1, ogg, etc. videos will not work. also as long as mplayer is accessing glamo hardware it must run as root. admittedly we run everything as root - but come the day when we don't... this is trouble. Hi. Can someone clear up for me why everything runs as root? When I heard the iPhone ran everything as root I kinda sneered at it but now I can't be so smug. What are the engineering reasons for this? Rob ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
Am So 15. Juni 2008 schrieb Mikael Lammentausta: User John running sudo rm -rf /* is better than root running rm -rf /* because...? Because sudo can be configured to accept users in certain groups to run certain commands with or without a password. rm can be restricted, whereas opkg can be permitted without password. IMO, running everything as root introduces a whole world of possible exploitations without any real benefits. YEP, exactly. Really wonder whether ssh is open to GPRS :-o (I had to fire up GPRS to check, my simcard doesn't allow right now. shame on me :-/ ) For sure it's no good idea to run the web-browser as root. /jOERG signature.asc Description: This is a digitally signed message part. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
su, 2008-06-15 kello 16:39 +0200, Joerg Reisenweber kirjoitti: YEP, exactly. Really wonder whether ssh is open to GPRS :-o (I had to fire up GPRS to check, my simcard doesn't allow right now. shame on me :-/ ) For sure it's no good idea to run the web-browser as root. Last I checked yes. So, you know, I pretty quickly set a root password :] -- Mikko Rauhala - [EMAIL PROTECTED] - URL:http://www.iki.fi/mjr/ Transhumanist - WTA member - URL:http://www.transhumanism.org/ Singularitarian - SIAI supporter - URL:http://www.singinst.org/ ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
On Sat, Jun 14, 2008 at 4:25 AM, arne anka [EMAIL PROTECTED] wrote: will tell you that having those kind of permissions systems when the INTRUDER has physical access to the device is next to pointless. the om is connected via wlan or bluetooth -- thus allowing hacking into it (if it is not posiible right now it will some day). thus the user does not necessarily notice if there's an intruder. second: what ways to boot the om _without_ destroying all data? if you need to hack the password for the root account to be able to manipulate existing data, there's another fence to jump. What benefit does havign things like OPKG SUID give us that having opkg run as root doesn't? only opkg is run, not everything possible. logging in as root opens a world of ways to harm your data, either by accident or deliberately. expoliting suid requires a bug in the program suid'd. User John running sudo rm -rf /* is better than root running rm -rf /* because...? see above. you can configure which commands/programs may be run with sudo. and user john is not every user -- a user able to run sudo needs to belong to a specific group, configurable as well. If you want security, unprivaledges users must NOT EVER be able to run privaledged commands. see above. have various roles. This assumption doesn't exactly hold when the entire filesystem is small enough to be put in one's pocket. the om represents a device more powerfull than the computer linux was developed on. i am not sure i understand you correctly, but for me it sounds like you saying user/group separation is meaningfull for servers only (and only because physical access can be prevented), for end user computers, laptops specifically, it is a waste. if so, you are pretty much alone with this understanding. what bothers me: as far as i understand the vast majority of applications is ported from existing linux distributions or just recompiled -- so, why would one disable the user/group principle the apps obey on their native platform? ubuntu for one works rather well with that wheel/sudo way and even on non-ubuntu systems users are able to run a lot of root applications such as rdate, power off, opkg, etc. w/o beeing root all the time. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
Firstly, sorry for the blank reply. Accidentally double clicked and send is in the same spot. :P On Sat, Jun 14, 2008 at 4:25 AM, arne anka [EMAIL PROTECTED] wrote: only opkg is run, not everything possible. logging in as root opens a world of ways to harm your data, either by accident or deliberately. expoliting suid requires a bug in the program suid'd. I understand how and why permission seperations exist. :) What I'm saying is that if we sit back and evaluate how this device is going to be used in the vast majority of cases, you'll realize that unlike a desktop or server system, the data that a non-root user can delete is as bad, or perhaps even WORSE than destroying the system integrity itself. I'm not saying we should abandon security as a concern. But realistically speaking, a mobile device DOES have different concerns than a desktop or a server. Focusing on system internals on Openmoko while ignoring the fact that remote users can destroy vital, NON root, important data is just busy work. User John running sudo rm -rf /* is better than root running rm -rf /* because...? see above. you can configure which commands/programs may be run with sudo. I understand this. Take a step back for a second and really evaluate the device's marketed purpose though. The point of sudo and the like are to ensure that a non-root user can't hose the system, right? A non-root user might need to be able to install a printer so you can give that user access to CUPS commands. In the traditional UNIX file system, having /usr destroyed is signifigantly bigger of an issue than having /tmp destroyed in most cases. In a network environment, you defend the important stuff dearly, and accept a certain level of risk with every little blurb you give to a non-root user. In the mobile world, there is NOTHING more important than the user's data. Nothing. And in the mobile world, you can impliment root priv seperations till the cows come home, but it doesn't eliminate the fact that the most vulnerable part of the system is being put at risk still. Please understand I'm not saying Ignore security, I'm a big fan of security. :) I'm simply trying to look at this in a way that's suited to the use cases rather than tradition. If you want security, unprivaledges users must NOT EVER be able to run privaledged commands. see above. Perhaps I needed to make this distinction. When I said a user in this case, I don't mean a line in /etc/passwd but a flesh and blood person. You running sudo some-command is a user running a privaledged command. Sudo is a way to allow users to have SOME of the powers of root, while limiting them from using others. If UNIX user john has sudo permissions to remove packages, and that UNIX account is comprimised, it is AS bad as of root itself had a shell on the box - the intruder on the system can hose it. i am not sure i understand you correctly, but for me it sounds like you saying user/group separation is meaningfull for servers only (and only because physical access can be prevented), for end user computers, laptops specifically, it is a waste. if so, you are pretty much alone with this understanding. I'm not saying that at all. I'm quite happy that I can log in a kevin and not root on my desktop system. I AM saying, however, that on a mobile device the value of each chunk of the filesystem is different than on a desktop workstation, a laptop and CERTAINLY a server. And taking into account traditional things because they're traditional isn't always the most suited solution to the environment. what bothers me: as far as i understand the vast majority of applications is ported from existing linux distributions or just recompiled -- so, why would one disable the user/group principle the apps obey on their native platform? Because the system they obey is designed for an environment where protection of the system is more important than protection of non-root data. ubuntu for one works rather well with that wheel/sudo way and even on non-ubuntu systems users are able to run a lot of root applications such as rdate, power off, opkg, etc. w/o beeing root all the time. If you check the Ubuntu mailing lists back to the days of Warty you'll see that there were people objecting to the use of sudo for the same reason that people are calling for root/user split. Allowing a comprimised non-root user to have access to system internals was heresy! Objectivly speaking, no system on a public network is secure - security is simply the amount of risk you're willing to take for the sake of access. Ubuntu chose to open up the sudo risk (and as I said, even though it's common, it's a procedure that still spark controversy) because, in the end, it was deemed that that amount of risk had acceptable gains. The reason that those gains were acceptable on a desktop and not a server is the same arguement I'm making here - the use case puts user data (which is still at risk when controlled by a non-root
Re: moko running everything as root
A lot depends on your network provider. I can't even ping my FreeRunner on vodafone, for example. Tmobile put it's first firewall up in 2002: http://www.theregister.co.uk/2002/11/27/first_hackers_sighted_in_high/ J 2008/6/15 Mikko Rauhala [EMAIL PROTECTED]: su, 2008-06-15 kello 16:39 +0200, Joerg Reisenweber kirjoitti: YEP, exactly. Really wonder whether ssh is open to GPRS :-o (I had to fire up GPRS to check, my simcard doesn't allow right now. shame on me :-/ ) For sure it's no good idea to run the web-browser as root. Last I checked yes. So, you know, I pretty quickly set a root password :] -- Mikko Rauhala - [EMAIL PROTECTED] - URL:http://www.iki.fi/mjr/ Transhumanist - WTA member - URL:http://www.transhumanism.org/ Singularitarian - SIAI supporter - URL:http://www.singinst.org/ ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
well, let's say we disagree in the classification of the om -- i think it's a very powerfull mobile computer and thus should follow basically the same idea of security. the user's data can be backed up and thus restored if compromised or destroyed. the system itself may causes severe loss of money if compromised: sending sms, calling those value-added numbers (what's the proper term in english?), creating internet connections (and maybe sending spam). accessing your pc if you connect to it to sync or so may corrupt your computer (take a known vulnerabilty, create an exploit and put it on the om -- if connected to your pc it could infiltrate). imho the om does not match the criteria of mobile world you're applying -- but that's just it: my opinion. maybe it changes once i get my paws on a real freerunner ;-) ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
If you have root AND user, root can make a backup copy of user's valuable data every once in a while, and user or the virus she imported while browsing the web can NOT destroy this backup. I can't follow your arguments. It's NOT an evil person we need to fence in, it's bad behaviour of applications that go nuts on (virus|bug|user fault|*) If we don't start to care about this topic NOW, we will see lots of poor designed apps that rely on having root access where they shouldn't, and we end up in a situation like M$, where the whole system is so much root-centric that you simply can't switch to a sane user-management anymore, because it would break half the system. To fix those apps later is a major PITA. I just talked to Wolfgang Spraul and he answered But right now we are selling to hardcore developers only, so it's not our #1 priority. Once our software becomes more stable and mature, this needs to be addressed seriously. The good news is that the FOSS community is pretty paranoid about this, so I'm sure over time we will have a good solution. It's a FOSS project and you are the community, so just contribute! I'd say, do it *now*, as long as it's easy. cheers jOERG signature.asc Description: This is a digitally signed message part. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
On Sun, Jun 15, 2008 at 9:15 PM, arne anka [EMAIL PROTECTED] wrote: well, let's say we disagree in the classification of the om -- i think it's a very powerfull mobile computer and thus should follow basically the same idea of security. the user's data can be backed up and thus restored if compromised or destroyed. the system itself may causes severe loss of money if compromised: sending sms, calling those value-added numbers (what's the proper term in english?), creating internet connections (and maybe sending spam). accessing your pc if you connect to it to sync or so may corrupt your computer (take a known vulnerabilty, create an exploit and put it on the om -- if connected to your pc it could infiltrate). imho the om does not match the criteria of mobile world you're applying -- but that's just it: my opinion. maybe it changes once i get my paws on a real freerunner ;-) On my laptop, I can choose if I want to run SE Linux or not. I think that the at least one image should run default with a non-root user and everything in /etc/sudoers. This way, people can uncomment inside that file and apply the security they like. The reason is that some people will use it as a phone, while other people might even use it without a sim. That means we may need different security policies. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
Isn't there a targeted SElinux policy being developed as part of GSoC? On 6/15/08, Joerg Reisenweber [EMAIL PROTECTED] wrote: If you have root AND user, root can make a backup copy of user's valuable data every once in a while, and user or the virus she imported while browsing the web can NOT destroy this backup. I can't follow your arguments. It's NOT an evil person we need to fence in, it's bad behaviour of applications that go nuts on (virus|bug|user fault|*) If we don't start to care about this topic NOW, we will see lots of poor designed apps that rely on having root access where they shouldn't, and we end up in a situation like M$, where the whole system is so much root-centric that you simply can't switch to a sane user-management anymore, because it would break half the system. To fix those apps later is a major PITA. I just talked to Wolfgang Spraul and he answered But right now we are selling to hardcore developers only, so it's not our #1 priority. Once our software becomes more stable and mature, this needs to be addressed seriously. The good news is that the FOSS community is pretty paranoid about this, so I'm sure over time we will have a good solution. It's a FOSS project and you are the community, so just contribute! I'd say, do it *now*, as long as it's easy. cheers jOERG -- Sent from Gmail for mobile | mobile.google.com ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
On my laptop, I can choose if I want to run SE Linux or not. I think that the at least one image should run default with a non-root user and everything in /etc/sudoers. This way, people can uncomment inside that file and apply the security they like. Sounds a lot like looking after a laptop rather than using a phone. I've already written about how I like the FreeRunner because it's *not* a laptop: http://blogs.thehumanjourney.net/finds/entry/1 I've also posted twice (I think - I found one one on Google) to this list about how it might be fruitful to consider the Bitforst security model as developed for the OLPC project: http://wiki.laptop.org/go/Bitfrost Anyone with me on that one? J 2008/6/15 Flemming Richter Mikkelsen [EMAIL PROTECTED]: On Sun, Jun 15, 2008 at 9:15 PM, arne anka [EMAIL PROTECTED] wrote: well, let's say we disagree in the classification of the om -- i think it's a very powerfull mobile computer and thus should follow basically the same idea of security. the user's data can be backed up and thus restored if compromised or destroyed. the system itself may causes severe loss of money if compromised: sending sms, calling those value-added numbers (what's the proper term in english?), creating internet connections (and maybe sending spam). accessing your pc if you connect to it to sync or so may corrupt your computer (take a known vulnerabilty, create an exploit and put it on the om -- if connected to your pc it could infiltrate). imho the om does not match the criteria of mobile world you're applying -- but that's just it: my opinion. maybe it changes once i get my paws on a real freerunner ;-) On my laptop, I can choose if I want to run SE Linux or not. I think that the at least one image should run default with a non-root user and everything in /etc/sudoers. This way, people can uncomment inside that file and apply the security they like. The reason is that some people will use it as a phone, while other people might even use it without a sim. That means we may need different security policies. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
Sounds a lot like looking after a laptop rather than using a phone. I've already written about how I like the FreeRunner because it's *not* a laptop: basically, yes. but that's probably due to the limited experience. i for one know palm pda/smartphone and laptop/pc -- according to the spec the om resembles a pc rather than a pda/smartphone so i more or less consciously shape my expectations after that. but i am not sure if that in any way makes it incomopatible with your ideas expressed there. I've also posted twice (I think - I found one one on Google) to this list about how it might be fruitful to consider the Bitforst security model as developed for the OLPC project: http://wiki.laptop.org/go/Bitfrost Anyone with me on that one? sounds good. it's not that i think the unix/linux way is the best ever possible -- it's only that i think security _is_ a key feature, how we achieve that feature is a matter open to discussion. if the olpc folks got it working for childs it means it will work for average joe as well ... ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
On 2008-06-15 21:15:40 +0200, arne anka wrote: well, let's say we disagree in the classification of the om -- i think it's a very powerfull mobile computer and thus should follow basically the same idea of security. the user's data can be backed up and thus restored if compromised or destroyed. the system itself may causes severe loss of money if compromised: sending sms, calling those value-added numbers (what's the proper term in english?), creating internet connections (and maybe sending spam). accessing your pc if you connect to it to sync or so may corrupt your computer (take a known vulnerabilty, create an exploit and put it on the om -- if connected to your pc it could infiltrate). But all of these things a user has to be able to do - so if the user's account is compromised, the intruder can also do these things. I think there is some value in separating privileges even on a one-user device, but I don't think the user vs. root is a useful separation, because you will end up with a user who is essentially root and can do everything interesting. Separating applications may be more appropriate (e.g., the browser may not need to be able to send SMS), but that needs careful thought. hp -- _ | Peter J. Holzer| It took a genius to create [TeX], |_|_) | Sysadmin WSR | and it takes a genius to maintain it. | | | [EMAIL PROTECTED] | That's not engineering, that's art. __/ | http://www.hjp.at/ |-- David Kastrup in comp.text.tex signature.asc Description: Digital signature ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
will tell you that having those kind of permissions systems when the INTRUDER has physical access to the device is next to pointless. the om is connected via wlan or bluetooth -- thus allowing hacking into it (if it is not posiible right now it will some day). thus the user does not necessarily notice if there's an intruder. second: what ways to boot the om _without_ destroying all data? if you need to hack the password for the root account to be able to manipulate existing data, there's another fence to jump. What benefit does havign things like OPKG SUID give us that having opkg run as root doesn't? only opkg is run, not everything possible. logging in as root opens a world of ways to harm your data, either by accident or deliberately. expoliting suid requires a bug in the program suid'd. User John running sudo rm -rf /* is better than root running rm -rf /* because...? see above. you can configure which commands/programs may be run with sudo. and user john is not every user -- a user able to run sudo needs to belong to a specific group, configurable as well. If you want security, unprivaledges users must NOT EVER be able to run privaledged commands. see above. have various roles. This assumption doesn't exactly hold when the entire filesystem is small enough to be put in one's pocket. the om represents a device more powerfull than the computer linux was developed on. i am not sure i understand you correctly, but for me it sounds like you saying user/group separation is meaningfull for servers only (and only because physical access can be prevented), for end user computers, laptops specifically, it is a waste. if so, you are pretty much alone with this understanding. what bothers me: as far as i understand the vast majority of applications is ported from existing linux distributions or just recompiled -- so, why would one disable the user/group principle the apps obey on their native platform? ubuntu for one works rather well with that wheel/sudo way and even on non-ubuntu systems users are able to run a lot of root applications such as rdate, power off, opkg, etc. w/o beeing root all the time. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
moko running everything as root
Peter Nijs wrote: no problems. what i don't want is people to get their hopes up. this was in the context of people asking if they can play vga video and me going good luck!. there is reality - and you can sit and hack away spend lots of time and get 1 case to work, and work well. as i said - it will depend on codec, bitrate, quality etc. mpeg4 decode in hw is great - but remember it is also limiting to just mp4 - all your mpeg1, ogg, etc. videos will not work. also as long as mplayer is accessing glamo hardware it must run as root. admittedly we run everything as root - but come the day when we don't... this is trouble. Hi. Can someone clear up for me why everything runs as root? When I heard the iPhone ran everything as root I kinda sneered at it but now I can't be so smug. What are the engineering reasons for this? Rob ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
On 6/13/08, Robert Taylor [EMAIL PROTECTED] wrote: Peter Nijs wrote: no problems. what i don't want is people to get their hopes up. this was in the context of people asking if they can play vga video and me going good luck!. there is reality - and you can sit and hack away spend lots of time and get 1 case to work, and work well. as i said - it will depend on codec, bitrate, quality etc. mpeg4 decode in hw is great - but remember it is also limiting to just mp4 - all your mpeg1, ogg, etc. videos will not work. also as long as mplayer is accessing glamo hardware it must run as root. admittedly we run everything as root - but come the day when we don't... this is trouble. Hi. Can someone clear up for me why everything runs as root? When I heard the iPhone ran everything as root I kinda sneered at it but now I can't be so smug. What are the engineering reasons for this? The reason is that the user normally wants to run a lot of root applications such as rdate, power off, opkg, etc. Of course this should be solved, but it should not be a top priority. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
Am Sa 14. Juni 2008 schrieb Flemming Richter Mikkelsen: On 6/13/08, Robert Taylor [EMAIL PROTECTED] wrote: Peter Nijs wrote: no problems. what i don't want is people to get their hopes up. this was in the context of people asking if they can play vga video and me going good luck!. there is reality - and you can sit and hack away spend lots of time and get 1 case to work, and work well. as i said - it will depend on codec, bitrate, quality etc. mpeg4 decode in hw is great - but remember it is also limiting to just mp4 - all your mpeg1, ogg, etc. videos will not work. also as long as mplayer is accessing glamo hardware it must run as root. admittedly we run everything as root - but come the day when we don't... this is trouble. Hi. Can someone clear up for me why everything runs as root? When I heard the iPhone ran everything as root I kinda sneered at it but now I can't be so smug. What are the engineering reasons for this? The reason is that the user normally wants to run a lot of root applications such as rdate, power off, opkg, etc. Of course this should be solved, but it should not be a top priority. My opinion is averse. There's no valid reason to abandon the very simple concept of users, groups, and permissions, just to have an easy start on development (fixing apps later on is a PITA). If you don't care from beginning, you'll end up where Vista is right now. Where is the problem to chmod any file in /dev, /sys, etc. to do rdate, power off, opkg etc (ok, for opkg I myself would prefer to be asked for root pw). Or make apps SUID! Do we really have to repeat this annoyance yet *another* time? If the user *really* wants to run these apps in the way you assumed (being pissed off to relogin as root), why not use ageold mechanisms like sudoers, wheel etc? To me it seems this is an *extreme* inattentiveness of developers, even worse a ridiculous one. /jOERG signature.asc Description: This is a digitally signed message part. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: moko running everything as root
On Fri, Jun 13, 2008 at 10:10 PM, Joerg Reisenweber [EMAIL PROTECTED] wrote: My opinion is averse. There's no valid reason to abandon the very simple concept of users, groups, and permissions, just to have an easy start on development (fixing apps later on is a PITA). If you don't care from beginning, you'll end up where Vista is right now. Where is the problem to chmod any file in /dev, /sys, etc. to do rdate, power off, opkg etc (ok, for opkg I myself would prefer to be asked for root pw). The difference, as I see it, is we can be sure that a user has the capacity to physically disable the device. Having user seperations makes sense when you have some restricted users and some root users. Anybody who has dealt with security in a mission critical situation will tell you that having those kind of permissions systems when the INTRUDER has physical access to the device is next to pointless. Or make apps SUID! Do we really have to repeat this annoyance yet *another* time? What benefit does havign things like OPKG SUID give us that having opkg run as root doesn't? The reason for seperation of privaledges is to prevent an unauthorized person from ruining the system (a seceretary deleting anything ending in .conf because she doesn't use those files on a network server...) by an unprivaledged user. If you look at studies on why Linux isn't hit by viruses you'll see the root/user seperation featured as #1. #2 reason is diversity - A virus undetected on Red Hat might not be invisible on Debian and the work needed to ensure that was the case is about equal to ensuring that every device driver ever written for Windows was bug free (i.e next to impossible) If the user *really* wants to run these apps in the way you assumed (being pissed off to relogin as root), why not use ageold mechanisms like sudoers, wheel etc? User John running sudo rm -rf /* is better than root running rm -rf /* because...? If you want security, unprivaledges users must NOT EVER be able to run privaledged commands. In a corporate environment, it is safe to assume that all of the people using the filesystem will have various roles. This assumption doesn't exactly hold when the entire filesystem is small enough to be put in one's pocket. To me it seems this is an *extreme* inattentiveness of developers, even worse a ridiculous one. As I see it, it's being realistic when using technology designed with restrictions to suit a multi-user environment in a situation where only a single user. In a networked and shared environment, the deletion of a single user's browser preferences isn't too important as long as the integrity of the majority of the network exists. In a pure single user situation, the integrity of the user's data IS network integrity. Feel free to ask an iPhone user what would be worse, the entire dataset of their device being erased, or only their phone numbers, pictures, music, settings and so on. in both cases, that user would NEVER use another device from that company. When the user is more important than integrity there is NO way that traditional UNIX file system permissions add a layer of security. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community