[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: setuid/setgid binaries contained in the Debian repository.

On Mon, Aug 11, 2003 at 06:19:19PM +0200, Emile van Bergen wrote:

> On Mon, Aug 11, 2003 at 10:34:37AM -0400, Matt Zimmerman wrote:
> > No, I am thinking that far because I understand setuid semantics and
> > Unix security, and their weaknesses.
> 
> I doubt that. There are weaknesses, but they are not fundamental, but have
> to do with sloppy code.

You are free to doubt, but 30 years of exactly the same types of security
vulnerabilities suggest a fundamental weakness.  A fundamental weakness does
not necessarily imply an implementation flaw, but also refers (as in this
case) to a system whose correct implementation is prohibitively error-prone.

> The problem is that the wrapper that functions as the call gate is often
> not confined to a well controlled image, or makes calls to exploitable
> libraries before dropping privileges.

One example of a fundamental problem is that the only way to meaningfully
relinquish privileges is to be root in the first place.

> If would be /fundamentally/ impossible to write secure setuid code, IOW if
> /no/ setuid program can shield itself from the influence of the invoking
> user, then unix misses a very fundamental component to do /any/ userspace
> authentication.

Frankly, it makes no difference if it is fundamentally impossible or not,
because we must deal with real code in the real world, not theory.  The
reality is that it is not at all straightforward, and a great majority of
the time, mistakes are made.  The Unix security model means that these
mistakes are catastrophic, and often result in compromise of the entire
system.

Not only do we continue to see the same kinds of bugs appearing both in new
programs and old programs, but we are still discovering new vectors to
attack common code (such as the C library), which can affect a huge number
of programs all at once.

> A lot of computer security relies on controlled entry points that elevates
> privileges. Look at most CPU architectures. Setuid is just Unix'
> implementation of the concept.

How many attack vectors can you think of for a CPU's supervisor mode?  How
about a setuid program on a Unix system?  See the difference?

-- 
 - mdz
Reply to: