Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Adrian Bunk]

On Fri, Oct 21, 2016 at 08:55:26AM +0200, Jan Mojzis wrote:
> > "extremely outdated"?
> > 
> > This sounds like a hack from ~ 20 years ago when people realized that 
> > running several programs at the same time as nobody does not isolate
> > them from each other.
> > 
> > Much better solutions for restricting what a process can or cannot do 
> > are now available.
> 
> The basic idea is taken from extreme - sandboxing:
> https://cr.yp.to/talks/2007.04.27/extremesandbox.c[1] 
> 
> My 2 tools currently making only small
> part on this idea, only droping uids/gids.
> I would like to improve my tools in the future, 
> 
> but I thing first step:
> - running current daemons/cron scripts/... under differentd UIDs in the system
> simply by using extremesetuidgid/extremeenvuidgid (instead of 
> setuidgid/envuidgid)

One part of my email you conveniently ignored was:
  20 years ago such a hack would at least have ensured that every 
  process has a unique uid.
  Even this is no longer true.

I'd bet you did not even understand the problem.

I am actually quite sure you did not understand it, since what
breaks your hack is related to proper solutions for sandboxing.

> second step:
> - create (library ??) to use buggy libraries such openssl sandboxed using 
> idea from
> extreme sandbox
>...

All this feels like travelling 20 years back in time.

2007 was approximately the latest time when something like that was 
still considered acceptable security.

Today this is just extremely bad sandboxing, and anyone suggesting to
do anything like that in 2016 proves without any doubt that he doesn't
have a clue regarding security.

> Jan
>...

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Jan Mojzis]

> "extremely outdated"?
> 
> This sounds like a hack from ~ 20 years ago when people realized that 
> running several programs at the same time as nobody does not isolate
> them from each other.
> 
> Much better solutions for restricting what a process can or cannot do 
> are now available.
> 

The basic idea is taken from extreme - sandboxing:
https://cr.yp.to/talks/2007.04.27/extremesandbox.c[1] 

My 2 tools currently making only small
part on this idea, only droping uids/gids.
I would like to improve my tools in the future, 

but I thing first step:
- running current daemons/cron scripts/... under differentd UIDs in the system
simply by using extremesetuidgid/extremeenvuidgid (instead of 
setuidgid/envuidgid)

second step:
- create (library ??) to use buggy libraries such openssl sandboxed using idea 
from
extreme sandbox


> tinysshd [1] is another worrisome example.
> 
> Writing an own "tiny" sshd from scratch, and the result is not even 
> smaller than the dropbear everyone else uses for that purpose.

dropbear is nice example here.
https://matt.ucc.asn.au/dropbear/CHANGES[2] 
First line in the changelog:
"""
Security: Message printout was vulnerable to format string injection.
"""

I'm trying in my software eliminate bugs such 'format string injection',
this is exactly why I'm not using  sprint*,vsprint*,... and other functions 
from libc,
and also trying to eliminate varargs functions.

> 
> To make the NIH complete, it uses own versions of standard C library
> string functions and an own (pretty primitive) build system.

Yes,
the build script (and also Makefile) is very small.
I'm following the rule "less code means less bugs"
Everyone can read what it does.
It simply works on Linux, *BSD, Solaris, AIX, ...

Jan


[1] https://cr.yp.to/talks/2007.04.27/extremesandbox.c
[2] https://matt.ucc.asn.au/dropbear/CHANGES

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Adrian Bunk]

On Wed, Oct 19, 2016 at 09:33:14AM -0200, Henrique de Moraes Holschuh wrote:
> On Wed, Oct 19, 2016, at 06:56, Jan Mojzis wrote:
> > >I read manpage on github, but did not understood, what exactly this
> > > program provides.  Can it replace creation system users for dropping
> > > privileges?
> > 
> > It's doesn't create users.
> > It only drops privileges (extremesetuidgid) or sets $UID/$GID env.
> > variables (extremeenvuidgid).
> > 
> > For example:
> > extremesetuidgid -b 10 sleep 1
> > 
> > runs command 'sleep 1' under unprivileged uid/gid (computed getpid()
> > +10) 
> > e.g. for:
> > pid=10 ... uid=gid=100010
> > pid=11 ... uid=gid=100011
> > pid=12 ... uid=gid=100011
> 
> I am just wondering why is it called "extreme"?

"extremely outdated"?

This sounds like a hack from ~ 20 years ago when people realized that 
running several programs at the same time as nobody does not isolate
them from each other.

Much better solutions for restricting what a process can or cannot do 
are now available.

> It looks more like a functionality related to "exclusive" guid/uid,
> instead...

20 years ago such a hack would at least have ensured that every process 
has a unique uid.

Even this is no longer true.


tinysshd [1] is another worrisome example.

Writing an own "tiny" sshd from scratch, and the result is not even 
smaller than the dropbear everyone else uses for that purpose.

To make the NIH complete, it uses own versions of standard C library
string functions and an own (pretty primitive) build system.


cu
Adrian

[1] thank god only in experimental so far

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Henrique de Moraes Holschuh]

On Wed, Oct 19, 2016, at 06:56, Jan Mojzis wrote:
> >I read manpage on github, but did not understood, what exactly this
> > program provides.  Can it replace creation system users for dropping
> > privileges?
> 
> It's doesn't create users.
> It only drops privileges (extremesetuidgid) or sets $UID/$GID env.
> variables (extremeenvuidgid).
> 
> For example:
> extremesetuidgid -b 10 sleep 1
> 
> runs command 'sleep 1' under unprivileged uid/gid (computed getpid()
> +10) 
> e.g. for:
> pid=10 ... uid=gid=100010
> pid=11 ... uid=gid=100011
> pid=12 ... uid=gid=100011

I am just wondering why is it called "extreme"?

It looks more like a functionality related to "exclusive" guid/uid,
instead...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique de Moraes Holschuh 

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Jan Mojzis]

>I read manpage on github, but did not understood, what exactly this
> program provides.  Can it replace creation system users for dropping
> privileges?

It's doesn't create users.
It only drops privileges (extremesetuidgid) or sets $UID/$GID env. variables 
(extremeenvuidgid).

For example:
extremesetuidgid -b 10 sleep 1

runs command 'sleep 1' under unprivileged uid/gid (computed getpid() +10) 
e.g. for:
pid=10 ... uid=gid=100010
pid=11 ... uid=gid=100011
pid=12 ... uid=gid=100011
...

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Dmitry Bogatov]

[2016-10-17 20:15] Jan Mojzis 
>
> part   text/plain1045
> Package: wnpp
> Severity: wishlist
> Owner: Jan Mojzis 
>
> * Package name: extremetools
>   Version : 20161017
>   Upstream Author : Jan Mojžíš 
> * URL : https://github.com/janmojzis/extremetools
> * License : public-domain
>   Programming Lang: C
>   Description : tools for running processes under extreme uid and gid
>
> Extremetools consists of 2 simple tools extremesetuidgid and extremeenvuidgid.
>  - extremesetuidgid runs program under unique (extreme) uid and gid
>  - extremeenvuidgid runs program with environment variables indicating
>unique (extreme) uid and gid
>
> This is useful for running processes in the system under unique (extreme) 
> uids/gids.
> So processes can't ptrace each other, can't send signal each other, etc ...

I read manpage on github, but did not understood, what exactly this
program provides.  Can it replace creation system users for dropping
privileges?

-- 
X-Web-Site: https://sinsekvu.github.io | Note that I process my email in batch,
Accept-Languages: eo,ru,en | at most once every 24 hours. If matter
Accept: text/plain, text/x-diff| is urgent, you have my phone number.

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Fredrik Alströmer]

On Tue, Oct 18, 2016 at 6:28 PM, Jan Mojzis  wrote:

> > It appears there is copies of GPLv3 code from NaCL in the source. I'm
> not a
>
> > lawyer, but I think that is making the distribution as "public domain"
>
> > pretty much illegal? Or am I missing something here?
>
>
>
> Hello,
>
> NaCl is not GPL3.
>
> It's public-domain https://nacl.cr.yp.to/features.html
> 
>

Ah, fair enough. It appears it has been included in other GPLv3 projects
without noting that that part of it was public domain.

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Jan Mojzis]

> It appears there is copies of GPLv3 code from NaCL in the source. I'm not a
> lawyer, but I think that is making the distribution as "public domain"
> pretty much illegal? Or am I missing something here?

Hello,
NaCl is not GPL3.
It's public-domain https://nacl.cr.yp.to/features.html[1] 

Jan


[1] http://nacl.cr.yp.to/features.html

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Fredrik Alströmer]

On Mon, 17 Oct 2016 19:57:53 +0100 Ben Hutchings 
wrote:
> Jan Mojzis  wrote:
> [...]

It appears there is copies of GPLv3 code from NaCL in the source. I'm not a
lawyer, but I think that is making the distribution as "public domain"
pretty much illegal? Or am I missing something here?

> I really think you should get a little more experience with C and
> makefiles, and a full code review, before packaging something that aims
> to be a security-critical tool.

Agreed

Fredrik.

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Ben Hutchings]

You've already commented the silent failure mode, so it's not that hard
to find.

As for 'is it problem?', why do you think I pointed these things out?
Perhaps you have good reasons to do things in an unusual way, but in
the absence of comments to explain them I infer that you either don't
know or have arbitrarily rejected conventional approaches.  Which you
seem to confirm by saying:

> I will NEVER use str* functions from libc in my code.

I'm ending this conversation here; ultimately it's for prospective
sponsors to decide whether it is a good idea to introduce this program
into Debian in its current shape.

Ben.

-- 
Ben Hutchings
The two most common things in the universe are hydrogen and stupidity.



signature.asc
Description: This is a digitally signed message part

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Jan Mojzis]

On Monday 17 of October 2016 19:57:53 Ben Hutchings wrote:
> Jan Mojzis  wrote:
> [...]
> > I'm going to maintain the package using collab-maint.
> > I need sponsor.
> >
> > Debian package:
> >  - has autotest
> >  - is using debhelper
> >  - is using git-dpm https://anonscm.debian.org/cgit/collab-maint/extr
> emetools.git
> >  - lintian clean (no warnings)
> 
> However, the code:
> 
> - Has a silent failure mode
where?

> - Reinvents common C library functions like strtol(), getopt(),
> strerror()
I will NEVER use str* functions from libc in my code.

> - Defines many similar functions differing only in number of arguments,
> where a varargs function would be appropriate
Is it problem ?

> - Doesn't have a 'make install' rule
Is it problem ?

> - Has manually maintained dependencies on headers
Is it problem ?

> 
> I really think you should get a little more experience with C and
> makefiles, and a full code review, before packaging something that aims
> to be a security-critical tool.
> 
> Ben.

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Ben Hutchings]

Jan Mojzis  wrote:
[...]
> I'm going to maintain the package using collab-maint.
> I need sponsor.
>
> Debian package:
>  - has autotest
>  - is using debhelper
>  - is using git-dpm https://anonscm.debian.org/cgit/collab-maint/extr
emetools.git
>  - lintian clean (no warnings)

However, the code:

- Has a silent failure mode
- Reinvents common C library functions like strtol(), getopt(),
strerror()
- Defines many similar functions differing only in number of arguments,
where a varargs function would be appropriate
- Doesn't have a 'make install' rule
- Has manually maintained dependencies on headers

I really think you should get a little more experience with C and
makefiles, and a full code review, before packaging something that aims
to be a security-critical tool.

Ben.


signature.asc
Description: This is a digitally signed message part

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Konstantin Khomoutov]

On Mon, 17 Oct 2016 20:15:04 +0200
Jan Mojzis  wrote:

> Package: wnpp
> Severity: wishlist
> Owner: Jan Mojzis 
> 
> * Package name: extremetools
>   Version : 20161017
>   Upstream Author : Jan Mojžíš 
> * URL : https://github.com/janmojzis/extremetools
> * License : public-domain
>   Programming Lang: C
>   Description : tools for running processes under extreme uid and
> gid
> 
> Extremetools consists of 2 simple tools extremesetuidgid and
> extremeenvuidgid.
>  - extremesetuidgid runs program under unique (extreme) uid and gid
>  - extremeenvuidgid runs program with environment variables indicating
>unique (extreme) uid and gid
> 
> This is useful for running processes in the system under unique
> (extreme) uids/gids. So processes can't ptrace each other, can't send
> signal each other, etc ...

Could you please elaborate on that "extreme" bit?
I failed to get even a basic explanation of it both from this
description and the project files on Github.

I understand that you may be not a native English speaker so you may
well be putting a meaning into that word which is (slightly) different
from the conventional perception of what it should be. ;-)

Bug#841113: ITP: extremetools -- tools for running processes under extreme uid and gid

[Jan Mojzis]

Package: wnpp
Severity: wishlist
Owner: Jan Mojzis 

* Package name: extremetools
  Version : 20161017
  Upstream Author : Jan Mojžíš 
* URL : https://github.com/janmojzis/extremetools
* License : public-domain
  Programming Lang: C
  Description : tools for running processes under extreme uid and gid

Extremetools consists of 2 simple tools extremesetuidgid and extremeenvuidgid.
 - extremesetuidgid runs program under unique (extreme) uid and gid
 - extremeenvuidgid runs program with environment variables indicating
   unique (extreme) uid and gid

This is useful for running processes in the system under unique (extreme) 
uids/gids.
So processes can't ptrace each other, can't send signal each other, etc ...

---

I'm going to maintain the package using collab-maint.
I need sponsor.

Debian package:
 - has autotest
 - is using debhelper
 - is using git-dpm 
https://anonscm.debian.org/cgit/collab-maint/extremetools.git
 - lintian clean (no warnings)