[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Open then gates

On Sat, May 15, 2010 at 12:53:30PM +0200, Christoph Anton Mitterer wrote:
> On Fri, 2010-05-14 at 22:22 -0700, Russ Allbery wrote:
> > These are really odd complaints to bring against Debian given that these
> > are not Debian issues.  Firefox, for example, works exactly the same way
> > everywhere.  What do you want Debian to do, write our own web browser?
> > There are limits to what a distribution can do.
> Again, these are just example where things could be secured....
> I do of course not want to Debian write it's own browser, but we already
> patch some of them "quite heavily", don't we?
> E.g. firefox to support all the plugin-packages stuff?

So your argument is, that it must be insecure because other things are
insecure? 

> > For example, here, you don't appear to understand that we're talking about
> > the user umask, which should not be affecting system services,
> "should not"... well... I guess this  isn't a proof, is it?

You claimed that it would, so it is up to you to prove you're right,
not the others to prove you're wrong.

> We've had so many examples of things that happened although they should
> not.
> udisks should have probably not exported the dm-crypt keys to normal
> users, but it did.
> Many scripts (don't remember a concrete example now) should have
> probably set a secure PATH, but they forgot to do so, and were
> attackable.
> sudo should have probably been secure, but it wasn't.... and if we would
> have added normal users to sudoers (like Ubuntu does as far as I know),
> "everything" would have been vulnerable.
> The openssl issue should have probably just solved some valgrind errors
> (wasn't that the idea of those patches?) but it lead probably to the
> great disaster in cryptography in the last years...

Again, a random list of problems that have no correlation whatsoever
with UPG and umask.

> > If regular users can add other people to groups on your system, you have
> > way more serious security problems than user-private groups, and those
> > security problems are not created by Debian.
> Of course I talk about having this done by root.
> It seems you do not have experience with systems with several thousands
> of users, do you?
> If I'm e.g. a root user at my university, or an empowered registration
> authority for CERN,... I really cannot check whether what my users ask
> is sane.
> If user B says, please add user A to my group... I'll do it as long as
> no system user/group is involved.

So your argument against something that is secure by default is that
you could make it insecure by doing a really brain-damaged thing? Of
course having a umask of 022 doesn't really prevent you from doing
stupid things, so I don't see how it would improve security in this
specific instance.

> Not to talk about the fact what happens, if at one day one wants to move
> away from UPGs...

Right, lets not talk about that, because it is completely irrelevant
for the current discussion.

> > And here, you appear to have completely misunderstood the purpose of
> > user-private groups in exactly the way that I tried to explain earlier.
> > If there is anyone in a user-private group other than the user
> > corresponding to it, you have broken user-private groups and created a
> > security hole on your system.
> Yes I know... (the concept of them is really not so difficult to
> understand, is it?)
> 
> > But that's your misconfiguration, not
> > something Debian did.
> Honestly,... real world is different... see my example above in big
> organisations, consider the fact that users have typically no idea what
> they doing...

That's why they don't have the rights to change their group. If root
has so little idea of what he's doing that he adds other users to a
UPG, then quite honestly he should consider the possibility that he
has chosen the wrong line of work.

> And even if you don't consider...
> What we had now, was already kind of semi-UPGs wasn't it?
> - Everybody had his private group, which others could be added to.

No. You never add others to a UPG. So the following points are moot.

> - But if others were added, they did not automatically have rwx-rights
> on basically everything.
> 
> With a default of 022:
> The owner of the file has to manually decide to make a file writeable by
> the members of his UPG, right?
> Isn't that much secure as the other way round?
> 
> With a default of 077:
> It'd be even better, as the owner does not only have to deliberately
> decide for write, but also for read rights.
> 
> 
> > and every distribution picks something and leaves that to site policy,
> > rightfully.  022 is the "standard" default choice, and I think it's more
> > appropriate for a free software distribution, although I know that by
> > itself is a moderately controversial statement.
> IMHO, we generally should not do something, because any other distro is
> doing it.

No, but we can learn from others' experiences. Do you know of any
specific security problems in distributions that have UPG + umask 002?

> We should simply do the right.
> So let me make clear, that I don't decline 002 because of "other
> distributions have 022",... I decline it because I consider it to be
> inherently insecure.

I don't. I currently see no problem with umask 002 in combination with
UPG. Your arguments boil down to two things:
- it must be insecure because completely unrelated other things are
- it can be made insecure by root doing a really stupid thing.

harry
Reply to: