Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140214081819.GA8547@alf.mars>
Date: Fri, 14 Feb 2014 09:18:19 +0100
From: Helmut Grohne <helmut@...divi.de>
To: Dimitri John Ledkov <xnox@...ian.org>
Cc: 738855@...s.debian.org, oss-security@...ts.openwall.com
Subject: Re: Bug#738855: initscripts: Skip killing root-owned process
 starting with @

On Fri, Feb 14, 2014 at 12:28:52AM +0000, Dimitri John Ledkov wrote:
> Thanks a lot for the review!

Hmm. Maybe you can hold this patch off for a little longer?

Pulling in oss-sec, because I am no longer sure that the remedy
addresses all relevant aspects. Summary of previous discussion follows
for oss-sec:

Dimitri Ledkov asked for the initscripts package to exempt root-owned
processes whose process name starts with an '@' from being killed in the
sendsigs script during shutdown. This support would make initscripts a
little more compatible with systemd, which is a good thing! The relevant
systemd documentation can be found at:
http://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/

However, I doubt that the proposed restriction (effective UID of process
equals 0) is sufficient. For example in a SELinux context being root may
mean significantly less. Russel Coker runs a machine where you can log
into as root remotely, see http://www.coker.com.au/selinux/play.html. In
this context allowing user processes to not be killed merely by changing
their name could cause data loss during shutdown by blocking umount. I
do not understand the consequences of the above technique in other
security extension contexts, so I am asking here for help.

The alternative mechanism currently used by initscripts is to allow
daemons to write their PID to /run/sendsigs.omit.d/$daemon. Being a
file-based approach, it can be easily controlled in the SELinux context
using restorecon.

Another aspect of interest could be processes running as root with their
capability bounding set cleared or reduced.

So dear oss-sec readers, do you think that allowing processes whose
effective UID is 0 to not being killed during shutdown is a good idea?

If the answer is no, then please assign a CVE identifier for systemd
(version 38+, src/core/killall.c).

Helmut

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.