Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20190711162601.RE3Tr%steffen@sdaoden.eu>
Date: Thu, 11 Jul 2019 18:26:01 +0200
From: Steffen Nurpmeso <steffen@...oden.eu>
To: "Perry E. Metzger" <perry@...rmont.com>
Cc: oss-security@...ts.openwall.com, Malte Kraus <malte.kraus@...e.com>
Subject: Re: Privileged File Access from Desktop
 Applications

Perry E. Metzger wrote in <20190711114710.09ab5ad9@...berwock.cb.piermon\
t.com>:
 |On Thu, 11 Jul 2019 13:57:19 +0000 Malte Kraus <malte.kraus@...e.com>
 |wrote:
 |> On Thu, 2019-07-11 at 09:33 -0400,  Perry E. Metzger wrote:
 ...
 |> I didn't (intend to) say there is an (additional) security problem.
 |> I just tried to succinctly explain why the desktop environments are
 |> coming up with these D-Bus interfaces now.
 |
 |It seems like a bad idea.
 |
 |If one wants to have mechanisms by which the operating system can
 |allow unprivileged programs to temporarily assume privileges (which
 |is a frequent idea in security), then they should be carefully
 |designed and part of the OS, rather than creating an ad hoc facility
 |via a subsystem that isn't intended for it. There are good ways to do
 |that, like capabilities.

Sending this remark because a few days ago i posted something
similar to a gnupg ML.

From my point of view there is root user hysteria in Unix and
clones, maybe forever, but i see it consciously in the last years.
If the solution against SETUID programs or other, finer grained
privileges, but which anyway can be detected via file system
tools, is that privilege adjustments u-boat away to something that
needs source code or over-the-wire analysis to being detected at
all, i fail to see how this leads to something better.

Without personally having made it there yet, i think the
traditional way of in-application sandboxing fits better, even
with SETUID programs which first perform some higher-privilege
setup before going more secure, like capsicum on FreeBSD,
pledge/unveil on OpenBSD, or prctl, seccomp (and apparmor) on
Linux.  Or even interesting entire frameworks like CloudABI.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.