On Thu, 16.04.15 19:30, Lennart Poettering (lenn...@poettering.net) wrote:
> I will grant you though that it is confusing that we use
> SD_BUS_CREDS_AUGMENT here like this, and implicitly rely on that the
> selinux label is not a field that is being augmented. We should make
> this explicit, absol
On Apr 20, 2015 9:07 AM, "Lennart Poettering"
wrote:
>
> On Mon, 20.04.15 08:51, Andy Lutomirski (l...@amacapital.net) wrote:
>
> > > > > I will grant you that they aren't particularly expressive, and I
will
> > > > > grant you that one day there might be better concepts. But that's
not
> > > > >
On Mon, 20.04.15 08:51, Andy Lutomirski (l...@amacapital.net) wrote:
> > > > I will grant you that they aren't particularly expressive, and I will
> > > > grant you that one day there might be better concepts. But that's not
> > > > a strong reason not to support them really, that's just a reason
On April 20, 2015 8:39:33 AM PDT, Lennart Poettering
wrote:
>On Fri, 17.04.15 08:52, Josh Triplett (j...@joshtriplett.org) wrote:
>
>> On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote:
>> > Now, to put together a more complex scenario for you: consider a
>small
>> > web UI that
On Apr 20, 2015 8:22 AM, "Lennart Poettering"
wrote:
>
> On Mon, 20.04.15 08:08, Andy Lutomirski (l...@amacapital.net) wrote:
>
> > On Apr 20, 2015 7:57 AM, "Lennart Poettering"
> > wrote:
> > >
> > > On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote:
> > >
> > > > My point here
On Fri, 17.04.15 08:52, Josh Triplett (j...@joshtriplett.org) wrote:
> On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote:
> > Now, to put together a more complex scenario for you: consider a small
> > web UI that can be used to set the system time. It should realy run at
> > minim
On Mon, 20.04.15 08:08, Andy Lutomirski (l...@amacapital.net) wrote:
> On Apr 20, 2015 7:57 AM, "Lennart Poettering"
> wrote:
> >
> > On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote:
> >
> > > My point here is that there's no real shortage of downsides to this
> > > scheme, an
On Apr 20, 2015 7:57 AM, "Lennart Poettering"
wrote:
>
> On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote:
>
> > My point here is that there's no real shortage of downsides to this
> > scheme, and there still appears to be little to no benefit.
>
> Well, let's turn this around.
On Fri, 17.04.15 13:43, Simon McVittie (simon.mcvit...@collabora.co.uk) wrote:
> On 16/04/15 15:52, Andy Lutomirski wrote:
> > (I really think this dichotomy
> > needs to be removed, *especially* since it looks like code already
> > exists to try to use both metadata sources. This seems like it's
On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote:
> My point here is that there's no real shortage of downsides to this
> scheme, and there still appears to be little to no benefit.
Well, let's turn this around. You seem to really dislike caps. And you
vaguely claim security ho
On Fri, Apr 17, 2015 at 06:00:04PM +0200, David Herrmann wrote:
> Hi
>
> On Fri, Apr 17, 2015 at 5:52 PM, Josh Triplett wrote:
> > On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote:
> >> Now, to put together a more complex scenario for you: consider a small
> >> web UI that can b
On Apr 17, 2015 4:53 AM, "Djalal Harouni" wrote:
>
> Hi Andy,
>
> On Thu, Apr 16, 2015 at 12:30:28PM -0700, Andy Lutomirski wrote:
> > On Thu, Apr 16, 2015 at 11:23 AM, Lennart Poettering
> > wrote:
> [...]
> > AFAICT this piece of kdbus code serves to enable a rather odd way to
> > write privile
On Apr 17, 2015 5:42 AM, "Simon McVittie"
wrote:
>
> On 16/04/15 15:52, Andy Lutomirski wrote:
> > (I really think this dichotomy
> > needs to be removed, *especially* since it looks like code already
> > exists to try to use both metadata sources. This seems like it's just
> > asking for securit
On Apr 17, 2015 6:05 AM, "Cristian RodrÃguez" wrote:
>
> On Fri, Apr 17, 2015 at 7:51 AM, Lennart Poettering
> wrote:
>
> > Groups *suck* as authentication scheme. If you add one group for each
> > privilege you want, then you'll have a huge number of groups, and
> > that's hardly desirable. It's
Hi
On Fri, Apr 17, 2015 at 5:52 PM, Josh Triplett wrote:
> On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote:
>> Now, to put together a more complex scenario for you: consider a small
>> web UI that can be used to set the system time. It should realy run at
>> minimal privileges,
On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote:
> Now, to put together a more complex scenario for you: consider a small
> web UI that can be used to set the system time. It should realy run at
> minimal privileges, after all it has a surface to the web. Hence you
> write it as
On Fri, Apr 17, 2015 at 7:51 AM, Lennart Poettering
wrote:
> Groups *suck* as authentication scheme. If you add one group for each
> privilege you want, then you'll have a huge number of groups, and
> that's hardly desirable. It's pretty close to being unmanagable with
> user/group editors. Also,
On 16/04/15 15:52, Andy Lutomirski wrote:
> (I really think this dichotomy
> needs to be removed, *especially* since it looks like code already
> exists to try to use both metadata sources. This seems like it's just
> asking for security screw-ups.)
Would it address this concern if there was an e
Hi Andy,
On Thu, Apr 16, 2015 at 12:30:28PM -0700, Andy Lutomirski wrote:
> On Thu, Apr 16, 2015 at 11:23 AM, Lennart Poettering
> wrote:
[...]
> AFAICT this piece of kdbus code serves to enable a rather odd way to
> write privilege-separated services to change the time and kill
> processes. The
On Thu, 16.04.15 12:30, Andy Lutomirski (l...@amacapital.net) wrote:
> > systemd itself checks CAP_SYS_KILL for clients asking to kill
> > arbitrary services (which means invoking kill() to all PIDs in the
> > service's cgroup).
> >
> > Similar to this, logind checks CAP_SYS_KILL for clients askin
On Thu, 16.04.15 12:45, Cameron Norman (camerontnor...@gmail.com) wrote:
> On Thu, Apr 16, 2015 at 9:43 AM, Tom Gundersen wrote:
> > On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski
> > wrote:
> >> The ratio of complexity of capability code the kdbus folks have
> >> already written (hundreds of
On Thu, 16.04.15 12:52, Cameron Norman (camerontnor...@gmail.com) wrote:
> > It's easy to construct similar examples, for example for timedated,
> > where setting the system clock is subject to CAP_SYS_TIME, exactly
> > like the underlying system call. Using timedated instead of the system
> > cal
On Thu, Apr 16, 2015, at 02:23 PM, Lennart Poettering wrote:
>
> Now, to put together a more complex scenario for you: consider a small
> web UI that can be used to set the system time. It should realy run at
> minimal privileges, after all it has a surface to the web. Hence you
> write it as daemo
On Thu, Apr 16, 2015 at 10:30 AM, Lennart Poettering
wrote:
> On Thu, 16.04.15 09:53, Andy Lutomirski (l...@amacapital.net) wrote:
>
>> > Can you please explain how precisely you think that sd-bus or systemd
>> > or the way they use capabilities is exploitable in any way? You keep
>> > claiming th
On Thu, Apr 16, 2015 at 9:43 AM, Tom Gundersen wrote:
> On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski wrote:
>> The ratio of complexity of capability code the kdbus folks have
>> already written (hundreds of lines across multiple files) to its
>> utility (very near zero AFAICT) is, in my book,
On Thu, Apr 16, 2015 at 11:23 AM, Lennart Poettering
wrote:
> On Thu, 16.04.15 10:52, Andy Lutomirski (l...@amacapital.net) wrote:
>
>> >
>> > It would be very helpful if you could go into details on why you think
>> > more care is needed here than for other things. Is there anything
>> > non-triv
On Thu, 16.04.15 10:52, Andy Lutomirski (l...@amacapital.net) wrote:
> >
> > It would be very helpful if you could go into details on why you think
> > more care is needed here than for other things. Is there anything
> > non-trivial going on here that I'm missing? The way capabilites are
> > expo
On Thu, Apr 16, 2015 at 10:30 AM, Lennart Poettering
wrote:
> On Thu, 16.04.15 09:53, Andy Lutomirski (l...@amacapital.net) wrote:
>
>> > It's a noop, unless people OR in SD_BUS_CREDS_AUGMENT into the flags
>> > of creds they want. Doing this basically voids your warranty: it means
>> > that the c
On Thu, Apr 16, 2015 at 10:43 AM, Tom Gundersen wrote:
> On Thu, Apr 16, 2015 at 5:57 PM, Andy Lutomirski wrote:
>>> We have several uses of this, see my mail to Jiri regarding
>>> CAP_SYS_BOOT for instance:
>>> https://lkml.org/lkml/2015/4/16/219
>>
>> I read that, but I disagree with you.
>>
On Thu, Apr 16, 2015 at 5:57 PM, Andy Lutomirski wrote:
>> We have several uses of this, see my mail to Jiri regarding
>> CAP_SYS_BOOT for instance:
>> https://lkml.org/lkml/2015/4/16/219
>
> I read that, but I disagree with you.
>
> CAP_SYS_BOOT is the privilege to directly hard-reboot the syst
On Thu, 16.04.15 09:53, Andy Lutomirski (l...@amacapital.net) wrote:
> > It's a noop, unless people OR in SD_BUS_CREDS_AUGMENT into the flags
> > of creds they want. Doing this basically voids your warranty: it means
> > that the creds data shall be augmented with data from /proc, which are
> > go
On Thu, Apr 16, 2015 at 9:43 AM, Tom Gundersen wrote:
> On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski wrote:
>> Unshare your user namespace, set things up right, and systemd
>> or any other server will see you as having all capabilities. You've
>> fixed that in kdbus, but you haven't (and pro
On Thu, Apr 16, 2015 at 8:59 AM, Lennart Poettering
wrote:
> On Thu, 16.04.15 07:52, Andy Lutomirski (l...@amacapital.net) wrote:
>
>> I'm looking at sd_bus_query_sender_privilege, which does:
>>
>> r = sd_bus_query_sender_creds(call,
>> SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CA
On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski wrote:
> Unshare your user namespace, set things up right, and systemd
> or any other server will see you as having all capabilities. You've
> fixed that in kdbus, but you haven't (and probably can't!) fix it in
> the legacy code, and that legacy c
On Thu, 16.04.15 07:52, Andy Lutomirski (l...@amacapital.net) wrote:
> I'm looking at sd_bus_query_sender_privilege, which does:
>
> r = sd_bus_query_sender_creds(call,
> SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS,
> &creds);
>
> That, in turn, does:
>
> if (!c || !(
On Thu, Apr 16, 2015 at 3:23 AM, Tom Gundersen wrote:
> Hi Andy,
>
> On Thu, Apr 16, 2015 at 2:55 AM, Andy Lutomirski wrote:
>> Yesterday, I discovered SD_BUS_VTABLE_CAPABILITY. Are there any
>> examples in which it does anything?
>
> Please note that you need to be using kdbus to get any capabi
Hi Andy,
On Thu, Apr 16, 2015 at 2:55 AM, Andy Lutomirski wrote:
> Yesterday, I discovered SD_BUS_VTABLE_CAPABILITY. Are there any
> examples in which it does anything?
Please note that you need to be using kdbus to get any capabilities
transported, so in dbus1 this does nothing (as on dbus1 us
37 matches
Mail list logo