Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-20 Thread Lennart Poettering
On Thu, 16.04.15 19:30, Lennart Poettering (lenn...@poettering.net) wrote: > I will grant you though that it is confusing that we use > SD_BUS_CREDS_AUGMENT here like this, and implicitly rely on that the > selinux label is not a field that is being augmented. We should make > this explicit, absol

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-20 Thread Andy Lutomirski
On Apr 20, 2015 9:07 AM, "Lennart Poettering" wrote: > > On Mon, 20.04.15 08:51, Andy Lutomirski (l...@amacapital.net) wrote: > > > > > > I will grant you that they aren't particularly expressive, and I will > > > > > grant you that one day there might be better concepts. But that's not > > > > >

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-20 Thread Lennart Poettering
On Mon, 20.04.15 08:51, Andy Lutomirski (l...@amacapital.net) wrote: > > > > I will grant you that they aren't particularly expressive, and I will > > > > grant you that one day there might be better concepts. But that's not > > > > a strong reason not to support them really, that's just a reason

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-20 Thread Josh Triplett
On April 20, 2015 8:39:33 AM PDT, Lennart Poettering wrote: >On Fri, 17.04.15 08:52, Josh Triplett (j...@joshtriplett.org) wrote: > >> On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote: >> > Now, to put together a more complex scenario for you: consider a >small >> > web UI that

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-20 Thread Andy Lutomirski
On Apr 20, 2015 8:22 AM, "Lennart Poettering" wrote: > > On Mon, 20.04.15 08:08, Andy Lutomirski (l...@amacapital.net) wrote: > > > On Apr 20, 2015 7:57 AM, "Lennart Poettering" > > wrote: > > > > > > On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote: > > > > > > > My point here

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-20 Thread Lennart Poettering
On Fri, 17.04.15 08:52, Josh Triplett (j...@joshtriplett.org) wrote: > On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote: > > Now, to put together a more complex scenario for you: consider a small > > web UI that can be used to set the system time. It should realy run at > > minim

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-20 Thread Lennart Poettering
On Mon, 20.04.15 08:08, Andy Lutomirski (l...@amacapital.net) wrote: > On Apr 20, 2015 7:57 AM, "Lennart Poettering" > wrote: > > > > On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote: > > > > > My point here is that there's no real shortage of downsides to this > > > scheme, an

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-20 Thread Andy Lutomirski
On Apr 20, 2015 7:57 AM, "Lennart Poettering" wrote: > > On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote: > > > My point here is that there's no real shortage of downsides to this > > scheme, and there still appears to be little to no benefit. > > Well, let's turn this around.

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-20 Thread Lennart Poettering
On Fri, 17.04.15 13:43, Simon McVittie (simon.mcvit...@collabora.co.uk) wrote: > On 16/04/15 15:52, Andy Lutomirski wrote: > > (I really think this dichotomy > > needs to be removed, *especially* since it looks like code already > > exists to try to use both metadata sources. This seems like it's

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-20 Thread Lennart Poettering
On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote: > My point here is that there's no real shortage of downsides to this > scheme, and there still appears to be little to no benefit. Well, let's turn this around. You seem to really dislike caps. And you vaguely claim security ho

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread josh
On Fri, Apr 17, 2015 at 06:00:04PM +0200, David Herrmann wrote: > Hi > > On Fri, Apr 17, 2015 at 5:52 PM, Josh Triplett wrote: > > On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote: > >> Now, to put together a more complex scenario for you: consider a small > >> web UI that can b

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread Andy Lutomirski
On Apr 17, 2015 4:53 AM, "Djalal Harouni" wrote: > > Hi Andy, > > On Thu, Apr 16, 2015 at 12:30:28PM -0700, Andy Lutomirski wrote: > > On Thu, Apr 16, 2015 at 11:23 AM, Lennart Poettering > > wrote: > [...] > > AFAICT this piece of kdbus code serves to enable a rather odd way to > > write privile

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread Andy Lutomirski
On Apr 17, 2015 5:42 AM, "Simon McVittie" wrote: > > On 16/04/15 15:52, Andy Lutomirski wrote: > > (I really think this dichotomy > > needs to be removed, *especially* since it looks like code already > > exists to try to use both metadata sources. This seems like it's just > > asking for securit

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread Andy Lutomirski
On Apr 17, 2015 6:05 AM, "Cristian Rodríguez" wrote: > > On Fri, Apr 17, 2015 at 7:51 AM, Lennart Poettering > wrote: > > > Groups *suck* as authentication scheme. If you add one group for each > > privilege you want, then you'll have a huge number of groups, and > > that's hardly desirable. It's

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread David Herrmann
Hi On Fri, Apr 17, 2015 at 5:52 PM, Josh Triplett wrote: > On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote: >> Now, to put together a more complex scenario for you: consider a small >> web UI that can be used to set the system time. It should realy run at >> minimal privileges,

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread Josh Triplett
On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote: > Now, to put together a more complex scenario for you: consider a small > web UI that can be used to set the system time. It should realy run at > minimal privileges, after all it has a surface to the web. Hence you > write it as

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread Cristian Rodríguez
On Fri, Apr 17, 2015 at 7:51 AM, Lennart Poettering wrote: > Groups *suck* as authentication scheme. If you add one group for each > privilege you want, then you'll have a huge number of groups, and > that's hardly desirable. It's pretty close to being unmanagable with > user/group editors. Also,

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread Simon McVittie
On 16/04/15 15:52, Andy Lutomirski wrote: > (I really think this dichotomy > needs to be removed, *especially* since it looks like code already > exists to try to use both metadata sources. This seems like it's just > asking for security screw-ups.) Would it address this concern if there was an e

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread Djalal Harouni
Hi Andy, On Thu, Apr 16, 2015 at 12:30:28PM -0700, Andy Lutomirski wrote: > On Thu, Apr 16, 2015 at 11:23 AM, Lennart Poettering > wrote: [...] > AFAICT this piece of kdbus code serves to enable a rather odd way to > write privilege-separated services to change the time and kill > processes. The

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread Lennart Poettering
On Thu, 16.04.15 12:30, Andy Lutomirski (l...@amacapital.net) wrote: > > systemd itself checks CAP_SYS_KILL for clients asking to kill > > arbitrary services (which means invoking kill() to all PIDs in the > > service's cgroup). > > > > Similar to this, logind checks CAP_SYS_KILL for clients askin

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread Lennart Poettering
On Thu, 16.04.15 12:45, Cameron Norman (camerontnor...@gmail.com) wrote: > On Thu, Apr 16, 2015 at 9:43 AM, Tom Gundersen wrote: > > On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski > > wrote: > >> The ratio of complexity of capability code the kdbus folks have > >> already written (hundreds of

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-17 Thread Lennart Poettering
On Thu, 16.04.15 12:52, Cameron Norman (camerontnor...@gmail.com) wrote: > > It's easy to construct similar examples, for example for timedated, > > where setting the system clock is subject to CAP_SYS_TIME, exactly > > like the underlying system call. Using timedated instead of the system > > cal

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Colin Walters
On Thu, Apr 16, 2015, at 02:23 PM, Lennart Poettering wrote: > > Now, to put together a more complex scenario for you: consider a small > web UI that can be used to set the system time. It should realy run at > minimal privileges, after all it has a surface to the web. Hence you > write it as daemo

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Cameron Norman
On Thu, Apr 16, 2015 at 10:30 AM, Lennart Poettering wrote: > On Thu, 16.04.15 09:53, Andy Lutomirski (l...@amacapital.net) wrote: > >> > Can you please explain how precisely you think that sd-bus or systemd >> > or the way they use capabilities is exploitable in any way? You keep >> > claiming th

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Cameron Norman
On Thu, Apr 16, 2015 at 9:43 AM, Tom Gundersen wrote: > On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski wrote: >> The ratio of complexity of capability code the kdbus folks have >> already written (hundreds of lines across multiple files) to its >> utility (very near zero AFAICT) is, in my book,

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Andy Lutomirski
On Thu, Apr 16, 2015 at 11:23 AM, Lennart Poettering wrote: > On Thu, 16.04.15 10:52, Andy Lutomirski (l...@amacapital.net) wrote: > >> > >> > It would be very helpful if you could go into details on why you think >> > more care is needed here than for other things. Is there anything >> > non-triv

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Lennart Poettering
On Thu, 16.04.15 10:52, Andy Lutomirski (l...@amacapital.net) wrote: > > > > It would be very helpful if you could go into details on why you think > > more care is needed here than for other things. Is there anything > > non-trivial going on here that I'm missing? The way capabilites are > > expo

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Andy Lutomirski
On Thu, Apr 16, 2015 at 10:30 AM, Lennart Poettering wrote: > On Thu, 16.04.15 09:53, Andy Lutomirski (l...@amacapital.net) wrote: > >> > It's a noop, unless people OR in SD_BUS_CREDS_AUGMENT into the flags >> > of creds they want. Doing this basically voids your warranty: it means >> > that the c

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Andy Lutomirski
On Thu, Apr 16, 2015 at 10:43 AM, Tom Gundersen wrote: > On Thu, Apr 16, 2015 at 5:57 PM, Andy Lutomirski wrote: >>> We have several uses of this, see my mail to Jiri regarding >>> CAP_SYS_BOOT for instance: >>> https://lkml.org/lkml/2015/4/16/219 >> >> I read that, but I disagree with you. >>

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Tom Gundersen
On Thu, Apr 16, 2015 at 5:57 PM, Andy Lutomirski wrote: >> We have several uses of this, see my mail to Jiri regarding >> CAP_SYS_BOOT for instance: >> https://lkml.org/lkml/2015/4/16/219 > > I read that, but I disagree with you. > > CAP_SYS_BOOT is the privilege to directly hard-reboot the syst

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Lennart Poettering
On Thu, 16.04.15 09:53, Andy Lutomirski (l...@amacapital.net) wrote: > > It's a noop, unless people OR in SD_BUS_CREDS_AUGMENT into the flags > > of creds they want. Doing this basically voids your warranty: it means > > that the creds data shall be augmented with data from /proc, which are > > go

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Andy Lutomirski
On Thu, Apr 16, 2015 at 9:43 AM, Tom Gundersen wrote: > On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski wrote: >> Unshare your user namespace, set things up right, and systemd >> or any other server will see you as having all capabilities. You've >> fixed that in kdbus, but you haven't (and pro

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Andy Lutomirski
On Thu, Apr 16, 2015 at 8:59 AM, Lennart Poettering wrote: > On Thu, 16.04.15 07:52, Andy Lutomirski (l...@amacapital.net) wrote: > >> I'm looking at sd_bus_query_sender_privilege, which does: >> >> r = sd_bus_query_sender_creds(call, >> SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CA

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Tom Gundersen
On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski wrote: > Unshare your user namespace, set things up right, and systemd > or any other server will see you as having all capabilities. You've > fixed that in kdbus, but you haven't (and probably can't!) fix it in > the legacy code, and that legacy c

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Lennart Poettering
On Thu, 16.04.15 07:52, Andy Lutomirski (l...@amacapital.net) wrote: > I'm looking at sd_bus_query_sender_privilege, which does: > > r = sd_bus_query_sender_creds(call, > SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS, > &creds); > > That, in turn, does: > > if (!c || !(

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Andy Lutomirski
On Thu, Apr 16, 2015 at 3:23 AM, Tom Gundersen wrote: > Hi Andy, > > On Thu, Apr 16, 2015 at 2:55 AM, Andy Lutomirski wrote: >> Yesterday, I discovered SD_BUS_VTABLE_CAPABILITY. Are there any >> examples in which it does anything? > > Please note that you need to be using kdbus to get any capabi

Re: [systemd-devel] SD_BUS_VTABLE_CAPABILITY

2015-04-16 Thread Tom Gundersen
Hi Andy, On Thu, Apr 16, 2015 at 2:55 AM, Andy Lutomirski wrote: > Yesterday, I discovered SD_BUS_VTABLE_CAPABILITY. Are there any > examples in which it does anything? Please note that you need to be using kdbus to get any capabilities transported, so in dbus1 this does nothing (as on dbus1 us