Re: Fwd: Use suid_dumpable=2 for development releases

[Jakub Filak]

On 02/12/2016 07:57 PM, Andrew Lutomirski wrote:

On Fri, Feb 12, 2016 at 10:32 AM, Richard W.M. Jones  wrote:

On Fri, Feb 12, 2016 at 07:24:06AM -0500, Jakub Filak wrote:

The default value 0 is there for good security reason, but I would
like to propose changing the default value to 2 for development
Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would
send core dump to ABRT (or systemd-coredump) and the ABRT record
would be accessible only to root.

It seems like this would be unsafe if core_pattern is not a pipe or
fully qualified path.

   Ref: https://lwn.net/Articles/503682/

That's fine when ABRT is running, but would be unsafe if someone
disabled ABRT by directly setting core_pattern (eg. to "core.%p"), but
forgot about suid_dumpable.

The kernel does emit KERN_WARNING about this situation (upstream
commit 54b501992dd2), but it's not clear if a sysadmin would notice.

(I'm actually quite happy for the default to be changed as you
suggest, but can see it's a bit of a minefield.)

We could change the kernel to add suid_dumpable == 3 which is like
suid_dumpable==2 but only if the core_pattern is a pipe.


Starting with systemd-229 the default core_pattern has been changed to 
"|/bin/false" [1], hence, if an user uninstall ABRT or disable 
abrt-ccpp.service, the core_pattern will be either "|/bin/false" or 
"|/usr/lib/systemd/systemd-coredump ...". Thus the only case where 
core_patter can contain a string not starting with pipe is when admin 
changes it manually ("sysctl kernel.core_pattern ...", "echo ... > 
/proc/sys/kernel/core_pattern", etc).


Taking into account this new fact, do we still need to change the kernel?


Regards,
Jakub

1: 
https://github.com/systemd/systemd/commit/15a900327aba7dc4dc886affe1ae22d3b759b193

--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Fwd: Use suid_dumpable=2 for development releases

[Jakub Filak]

On 02/16/2016 03:23 PM, Andrew Lutomirski wrote:



On Feb 15, 2016 10:36 PM, "Jakub Filak" > wrote:

>
> It looks like that there are no opponents of this change but several 
supporters

> and few of them even want to have suid_dumpable=2 in all releases.
>
> I was thinking about it and Richard W.M. Jones' email about safeness of
> suid_dumpable=2 without ABRT gave me an idea to teach ABRT to set
> suid_dumpable=2 in abrt-ccpp.service. The service sets 
kernel.core_pattern

> (/proc/sys/kernel/core_pattern) to ABRT pattern, so it could also update
> suid_dumpable. If an administrator uninstalls/turns off ABRT, 
suid_dumpable
> would get back the OS default value. If he/she modifies core_pattern 
by hand,

> then he/she is skilled enough to spot kernel warning in the logs.
>
> What do you think about it?
> I would especially like to hear thoughts on this from security experts.
>
> Do I need to get any permission to do so?

This idea makes me very nervous.



I understand your concerns and I am happy someone else expressed it this 
way.
I was asked several times to make suid_dumpable=2 by default last year 
and I always replied like you.



  I would *much* rather that the kernel be changed.



Just for the clarification: you want to change suid_dumpable in kernel 
package or introduce the value of 3 or both?



Also, is ABRT itself safe?



We believe it is.
But frankly we had several CVEs last year. However those CVEs helped us 
to make ABRT much safer.
Florian Weimer went through the code base and found several issues that 
we have fixed.

The CVEs are the reason why I didn't start this discussion sooner.

That is, if an unprivileged user starts, say, passwd and forces a 
coredump, can that user convince ABRT to show them the core file?




That user cannot convince ABRT to show them the core file.
Only privileged users will have access to the core file.


Jakub


--Andy

>
>
> Regards,
> Jakub
>
>
> On 02/12/2016 01:24 PM, Jakub Filak wrote:
>>
>> - Forwarded Message -
>> From: "Jakub Filak" mailto:jfi...@redhat.com>>
>> To: secur...@lists.fedoraproject.org 


>> Sent: Thursday, February 11, 2016 9:51:04 AM
>> Subject: Use suid_dumpable=2 for development releases
>>
>> Hello,
>>
>> As a maintainer of ABRT, I have been asked several times why ABRT 
does not catch
>> crashes of many processes and one kind of reasons dominate among 
other reasons
>> - processes that executes set-user-ID programs (man 5 core). These 
processes
>> are not dumped at all if the value of /proc/sys/fs/suid_dumpable is 
0 (man 5

>> proc) which is the default value.  With the default suid_dumpable
>> value, crashes caused by SIGABRT are not detectable because kernel 
doesn't even

>> write a log message about that.
>>
>> The default value 0 is there for good security reason, but I would 
like to
>> propose changing the default value to 2 for development Fedora 
releases (Alpha,

>> Beta, Rawhide). In this case, kernel would send core dump to ABRT (or
>> systemd-coredump) and the ABRT record would be accessible only to root.
>>
>> I believe that maintainers of packages like chrony will be really 
delighted
>> with this change, while will not weaken security of Fedora for 
regular users.

>>
>>
>> Regards,
>> Jakub
>> --
>> security mailing list
>> secur...@lists.fedoraproject.org 

>> 
http://lists.fedoraproject.org/admin/lists/secur...@lists.fedoraproject.org

>> --
>> devel mailing list
>> devel@lists.fedoraproject.org 
>> 
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

>
> --
> devel mailing list
> devel@lists.fedoraproject.org 
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org



--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org


--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Fwd: Use suid_dumpable=2 for development releases

[Andrew Lutomirski]

On Feb 15, 2016 10:36 PM, "Jakub Filak"  wrote:
>
> It looks like that there are no opponents of this change but several
supporters
> and few of them even want to have suid_dumpable=2 in all releases.
>
> I was thinking about it and Richard W.M. Jones' email about safeness of
> suid_dumpable=2 without ABRT gave me an idea to teach ABRT to set
> suid_dumpable=2 in abrt-ccpp.service. The service sets kernel.core_pattern
> (/proc/sys/kernel/core_pattern) to ABRT pattern, so it could also update
> suid_dumpable. If an administrator uninstalls/turns off ABRT,
suid_dumpable
> would get back the OS default value. If he/she modifies core_pattern by
hand,
> then he/she is skilled enough to spot kernel warning in the logs.
>
> What do you think about it?
> I would especially like to hear thoughts on this from security experts.
>
> Do I need to get any permission to do so?

This idea makes me very nervous.  I would *much* rather that the kernel be
changed.

Also, is ABRT itself safe?  That is, if an unprivileged user starts, say,
passwd and forces a coredump, can that user convince ABRT to show them the
core file?

--Andy

>
>
> Regards,
> Jakub
>
>
> On 02/12/2016 01:24 PM, Jakub Filak wrote:
>>
>> - Forwarded Message -
>> From: "Jakub Filak" 
>> To: secur...@lists.fedoraproject.org
>> Sent: Thursday, February 11, 2016 9:51:04 AM
>> Subject: Use suid_dumpable=2 for development releases
>>
>> Hello,
>>
>> As a maintainer of ABRT, I have been asked several times why ABRT does
not catch
>> crashes of many processes and one kind of reasons dominate among other
reasons
>> - processes that executes set-user-ID programs (man 5 core). These
processes
>> are not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0
(man 5
>> proc) which is the default value.  With the default suid_dumpable
>> value, crashes caused by SIGABRT are not detectable because kernel
doesn't even
>> write a log message about that.
>>
>> The default value 0 is there for good security reason, but I would like
to
>> propose changing the default value to 2 for development Fedora releases
(Alpha,
>> Beta, Rawhide). In this case, kernel would send core dump to ABRT (or
>> systemd-coredump) and the ABRT record would be accessible only to root.
>>
>> I believe that maintainers of packages like chrony will be really
delighted
>> with this change, while will not weaken security of Fedora for regular
users.
>>
>>
>> Regards,
>> Jakub
>> --
>> security mailing list
>> secur...@lists.fedoraproject.org
>>
http://lists.fedoraproject.org/admin/lists/secur...@lists.fedoraproject.org
>> --
>> devel mailing list
>> devel@lists.fedoraproject.org
>> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Fwd: Use suid_dumpable=2 for development releases

[Jakub Filak]

It looks like that there are no opponents of this change but several 
supporters

and few of them even want to have suid_dumpable=2 in all releases.

I was thinking about it and Richard W.M. Jones' email about safeness of
suid_dumpable=2 without ABRT gave me an idea to teach ABRT to set
suid_dumpable=2 in abrt-ccpp.service. The service sets kernel.core_pattern
(/proc/sys/kernel/core_pattern) to ABRT pattern, so it could also update
suid_dumpable. If an administrator uninstalls/turns off ABRT, suid_dumpable
would get back the OS default value. If he/she modifies core_pattern by 
hand,

then he/she is skilled enough to spot kernel warning in the logs.

What do you think about it?
I would especially like to hear thoughts on this from security experts.

Do I need to get any permission to do so?


Regards,
Jakub

On 02/12/2016 01:24 PM, Jakub Filak wrote:

- Forwarded Message -
From: "Jakub Filak" 
To: secur...@lists.fedoraproject.org
Sent: Thursday, February 11, 2016 9:51:04 AM
Subject: Use suid_dumpable=2 for development releases

Hello,

As a maintainer of ABRT, I have been asked several times why ABRT does not catch
crashes of many processes and one kind of reasons dominate among other reasons
- processes that executes set-user-ID programs (man 5 core). These processes
are not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0 (man 5
proc) which is the default value.  With the default suid_dumpable
value, crashes caused by SIGABRT are not detectable because kernel doesn't even
write a log message about that.

The default value 0 is there for good security reason, but I would like to
propose changing the default value to 2 for development Fedora releases (Alpha,
Beta, Rawhide). In this case, kernel would send core dump to ABRT (or
systemd-coredump) and the ABRT record would be accessible only to root.

I believe that maintainers of packages like chrony will be really delighted
with this change, while will not weaken security of Fedora for regular users.


Regards,
Jakub
--
security mailing list
secur...@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/secur...@lists.fedoraproject.org
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Fwd: Use suid_dumpable=2 for development releases

[Jakub Filak]

I'm not a security expert but I would rather start with something
less ambitious and more secure. Just for sure.


Regards,
Jakub


On 02/15/2016 11:22 AM, Miroslav Vadkerti wrote:

The issue described in the article was fixed by requiring an absolute
path in core_pattern (If I understand it correctly).

If core_pattern is unsafe, the process is not dumped at all  (man 5 proc).

The kernel commit adds a warning, because kernel was silently ignoring
crashes and no one could notice.

If this is true, shouldn't we be safe to set the default to 2?

Note also, that having suid_dumpable = 0 is sometimes blocking other security 
features in Fedora, for example sssd running as non-root by default - 
https://bugzilla.redhat.com/show_bug.cgi?id=1212503

Regards,
/M



Regards,
Jakub

On 02/12/2016 07:32 PM, Richard W.M. Jones wrote:

--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Fwd: Use suid_dumpable=2 for development releases

[Miroslav Vadkerti]

> The issue described in the article was fixed by requiring an absolute
> path in core_pattern (If I understand it correctly).
> 
> If core_pattern is unsafe, the process is not dumped at all  (man 5 proc).
> 
> The kernel commit adds a warning, because kernel was silently ignoring
> crashes and no one could notice.

If this is true, shouldn't we be safe to set the default to 2?

Note also, that having suid_dumpable = 0 is sometimes blocking other security 
features in Fedora, for example sssd running as non-root by default - 
https://bugzilla.redhat.com/show_bug.cgi?id=1212503

Regards,
/M

> 
> 
> Regards,
> Jakub
> 
> On 02/12/2016 07:32 PM, Richard W.M. Jones wrote:
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Fwd: Use suid_dumpable=2 for development releases

[Jakub Filak]

On 02/12/2016 07:57 PM, Andrew Lutomirski wrote:

On Fri, Feb 12, 2016 at 10:32 AM, Richard W.M. Jones  wrote:

On Fri, Feb 12, 2016 at 07:24:06AM -0500, Jakub Filak wrote:

The default value 0 is there for good security reason, but I would
like to propose changing the default value to 2 for development
Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would
send core dump to ABRT (or systemd-coredump) and the ABRT record
would be accessible only to root.

It seems like this would be unsafe if core_pattern is not a pipe or
fully qualified path.

   Ref: https://lwn.net/Articles/503682/

That's fine when ABRT is running, but would be unsafe if someone
disabled ABRT by directly setting core_pattern (eg. to "core.%p"), but
forgot about suid_dumpable.

The kernel does emit KERN_WARNING about this situation (upstream
commit 54b501992dd2), but it's not clear if a sysadmin would notice.

(I'm actually quite happy for the default to be changed as you
suggest, but can see it's a bit of a minefield.)

We could change the kernel to add suid_dumpable == 3 which is like
suid_dumpable==2 but only if the core_pattern is a pipe.


I didn't know that 3 is supported for suid_dumpable.
The value of 3 is not documented [1] and I can't find it in the source 
code [2].



Regards,
Jakub


1: http://man7.org/linux/man-pages/man5/proc.5.html
2: 
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/linux/sched.h#n456

--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Fwd: Use suid_dumpable=2 for development releases

[Jakub Filak]

The issue described in the article was fixed by requiring an absolute
path in core_pattern (If I understand it correctly).

If core_pattern is unsafe, the process is not dumped at all  (man 5 proc).

The kernel commit adds a warning, because kernel was silently ignoring
crashes and no one could notice.


Regards,
Jakub

On 02/12/2016 07:32 PM, Richard W.M. Jones wrote:

On Fri, Feb 12, 2016 at 07:24:06AM -0500, Jakub Filak wrote:

The default value 0 is there for good security reason, but I would
like to propose changing the default value to 2 for development
Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would
send core dump to ABRT (or systemd-coredump) and the ABRT record
would be accessible only to root.

It seems like this would be unsafe if core_pattern is not a pipe or
fully qualified path.

   Ref: https://lwn.net/Articles/503682/

That's fine when ABRT is running, but would be unsafe if someone
disabled ABRT by directly setting core_pattern (eg. to "core.%p"), but
forgot about suid_dumpable.

The kernel does emit KERN_WARNING about this situation (upstream
commit 54b501992dd2), but it's not clear if a sysadmin would notice.

(I'm actually quite happy for the default to be changed as you
suggest, but can see it's a bit of a minefield.)

Rich.


--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Fwd: Use suid_dumpable=2 for development releases

[Andrew Lutomirski]

On Fri, Feb 12, 2016 at 10:32 AM, Richard W.M. Jones  wrote:
> On Fri, Feb 12, 2016 at 07:24:06AM -0500, Jakub Filak wrote:
>> The default value 0 is there for good security reason, but I would
>> like to propose changing the default value to 2 for development
>> Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would
>> send core dump to ABRT (or systemd-coredump) and the ABRT record
>> would be accessible only to root.
>
> It seems like this would be unsafe if core_pattern is not a pipe or
> fully qualified path.
>
>   Ref: https://lwn.net/Articles/503682/
>
> That's fine when ABRT is running, but would be unsafe if someone
> disabled ABRT by directly setting core_pattern (eg. to "core.%p"), but
> forgot about suid_dumpable.
>
> The kernel does emit KERN_WARNING about this situation (upstream
> commit 54b501992dd2), but it's not clear if a sysadmin would notice.
>
> (I'm actually quite happy for the default to be changed as you
> suggest, but can see it's a bit of a minefield.)

We could change the kernel to add suid_dumpable == 3 which is like
suid_dumpable==2 but only if the core_pattern is a pipe.

--Andy
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Fwd: Use suid_dumpable=2 for development releases

[Richard W.M. Jones]

On Fri, Feb 12, 2016 at 07:24:06AM -0500, Jakub Filak wrote:
> The default value 0 is there for good security reason, but I would
> like to propose changing the default value to 2 for development
> Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would
> send core dump to ABRT (or systemd-coredump) and the ABRT record
> would be accessible only to root.

It seems like this would be unsafe if core_pattern is not a pipe or
fully qualified path.

  Ref: https://lwn.net/Articles/503682/

That's fine when ABRT is running, but would be unsafe if someone
disabled ABRT by directly setting core_pattern (eg. to "core.%p"), but
forgot about suid_dumpable.

The kernel does emit KERN_WARNING about this situation (upstream
commit 54b501992dd2), but it's not clear if a sysadmin would notice.

(I'm actually quite happy for the default to be changed as you
suggest, but can see it's a bit of a minefield.)

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Fwd: Use suid_dumpable=2 for development releases

[Miroslav Lichvar]

On Fri, Feb 12, 2016 at 12:40:37PM +, Tom Hughes wrote:
> On 12/02/16 12:24, Jakub Filak wrote:
> >I believe that maintainers of packages like chrony will be really delighted
> >with this change, while will not weaken security of Fedora for regular users.
> 
> What part of chrony is setuid? I don't see an suid bit on any of it's
> executables... Nor any file capabilities which is the other thing the manual
> page says triggers this.

The chrony files don't have any set*id bits set, but the chronyd
process, like many other daemons, calls setuid()/setgid() in order to
drop root privileges. The proc(5) man page lists that as a reason
for not producing a coredump.

I was wondering what security implications would setting suid_dumpable
to 2 by default had and why it needs to be restricted to development.

-- 
Miroslav Lichvar
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Fwd: Use suid_dumpable=2 for development releases

[Tom Hughes]

On 12/02/16 12:24, Jakub Filak wrote:


As a maintainer of ABRT, I have been asked several times why ABRT does not catch
crashes of many processes and one kind of reasons dominate among other reasons
- processes that executes set-user-ID programs (man 5 core). These processes
are not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0 (man 5
proc) which is the default value.  With the default suid_dumpable
value, crashes caused by SIGABRT are not detectable because kernel doesn't even
write a log message about that.

The default value 0 is there for good security reason, but I would like to
propose changing the default value to 2 for development Fedora releases (Alpha,
Beta, Rawhide). In this case, kernel would send core dump to ABRT (or
systemd-coredump) and the ABRT record would be accessible only to root.

I believe that maintainers of packages like chrony will be really delighted
with this change, while will not weaken security of Fedora for regular users.


What part of chrony is setuid? I don't see an suid bit on any of it's 
executables... Nor any file capabilities which is the other thing the 
manual page says triggers this.


Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Fwd: Use suid_dumpable=2 for development releases

[Jakub Filak]

- Forwarded Message -
From: "Jakub Filak" 
To: secur...@lists.fedoraproject.org
Sent: Thursday, February 11, 2016 9:51:04 AM
Subject: Use suid_dumpable=2 for development releases

Hello,

As a maintainer of ABRT, I have been asked several times why ABRT does not catch
crashes of many processes and one kind of reasons dominate among other reasons
- processes that executes set-user-ID programs (man 5 core). These processes
are not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0 (man 5
proc) which is the default value.  With the default suid_dumpable
value, crashes caused by SIGABRT are not detectable because kernel doesn't even
write a log message about that.

The default value 0 is there for good security reason, but I would like to
propose changing the default value to 2 for development Fedora releases (Alpha,
Beta, Rawhide). In this case, kernel would send core dump to ABRT (or
systemd-coredump) and the ABRT record would be accessible only to root.

I believe that maintainers of packages like chrony will be really delighted
with this change, while will not weaken security of Fedora for regular users.


Regards,
Jakub
--
security mailing list
secur...@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/secur...@lists.fedoraproject.org
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org