Re: tcb for debian?

To: Alexander Reelsen <ref@tretmine.org>, debian-devel@lists.debian.org
Subject: Re: tcb for debian?
From: Russell Coker <russell@coker.com.au>
Date: Mon, 27 Jan 2003 12:17:21 +0100
Message-id: <[🔎] 200301271217.21144.russell@coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20030127084052.GA32512@tretmine.org>
References: <[🔎] 20030127084052.GA32512@tretmine.org>

On Mon, 27 Jan 2003 09:40, Alexander Reelsen wrote:
> Quick description (from the manpage)
> With  the  traditional password shadowing scheme, password hashes and
> password aging  information  of  all  users  is stored  in one file,
> /etc/shadow.  Therefore, if a process requires access to information on a
> single  user,  it  is forced  to  possess  privileges  which  are
> sufficient to access data on all users.  This is a design flaw, which is
> most  clearly  visible  in  the case of passwd(1) utility.  Let's assume
[...]
> The  solution  is  straightforward - each user is assigned its own,
> separate shadow-style file.  User U's shadow file is  owned by U, so
> passwd(1) invoked by U does not require superuser privileges.

This only helps if you have a Mandatory Access Control system such as SE Linux 
installed and operating correctly.

With a typical Linux setup you can exploit programs such as BIND, dhcpd, an 
FTP daemon, Sendmail, or sshd for full access to the system.  All these 
programs have a much worse history regarding security than passwd(1).

Remember, any program that authenticates users (every program that is 
conceptually equivalent to "login") has to be able to read everyone's shadow 
entries, and that means that if one of those programs is exploited an 
attacker can use crack to try and find passwords.

> It is very unlikely that such a small package which is not used that much,
> will get into debian if the glibc has to be patched, right?
> The glibc patch of the crypt_blowfish package is not even 2kb "big". (3
> lines added, however some files have to be copied additionally and the
> patch is for glibc 2.1.3)

You may be surprised.  If we can significantly increase the security of a 
system by patching glibc then I expect that the libc6 maintainers would be 
willing to consider it.

However I believe that until SE Linux, RSBAC, and GRSEC get wider use in 
Debian there is no point in even talking about getting such a change into 
Debian.  Currently people who want this can always have their own patched 
libc6, and people who are interested in maintaining it can run their own 
private apt repository for it.

I think that this "tcb" project offers nothing of benefit if you use standard 
Unix permissions (IE you have a standard Linux kernel without any security 
patches).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Kernel patches (was: tcb for debian?)
  - From: martin f krafft <madduck@debian.org>
- Re: tcb for debian?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- tcb for debian?
  - From: Alexander Reelsen <ref@tretmine.org>

Prev by Date: Re: Bug#176267: ITP: mplayer -- Mplayer is a full-featured audioand video player for UN*X like systems
Next by Date: Re: Strange diagnostic
Previous by thread: tcb for debian?
Next by thread: Kernel patches (was: tcb for debian?)
Index(es):
- Date
- Thread