From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) by sourceware.org (Postfix) with ESMTPS id 240373846405 for ; Wed, 3 Apr 2024 18:26:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 240373846405 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=golang.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=google.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 240373846405 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::52d ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712168772; cv=none; b=EqBfgNqNkchyD2llbiCxehjqWkM7Mh+VR9kb7kOY8sd4o0dtno5iWp2BCKJDvpocGozdb44I15YvLh0jQtpRTg+mli1h1L9LIAORDkUzLo9P9J4uEhPuxXuiq4dF/Ib3a4sQ5rmQXf5rEvov8pZrLxM6QfMrPzdglRgYVdQkbdw= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712168772; c=relaxed/simple; bh=dTJBJl0kQQzDxWcxCr/iPgnDew8Lgli3Iwcr5j9pTMU=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=QSrXq0i8fdFy33XoBFIWikZKQFZ9C8fNLsYR+DK9xfrorU8dqLc488IoawilZJ8raH9OnAkDJX3WhiWDJv6DraYisUW9xkF2Q7+C0umUTIhswvXFJiAQtOA2QjHtv7IZ5D22crQ/rH0jRDYp+Q6egMh3A99lHoXddoExpAPBdXo= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pg1-x52d.google.com with SMTP id 41be03b00d2f7-5cddc5455aeso157637a12.1 for ; Wed, 03 Apr 2024 11:26:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google-com.20230601.gappssmtp.com; s=20230601; t=1712168769; x=1712773569; darn=gcc.gnu.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=csM7KIRoyk4ty3O05YoRThO//Sc70mwM60HtcOnj2hY=; b=Guk1rkc4pVkedlQT63l2BlpblTZD7+8O+2/Ep0U69tObjctahyF2ogqo/XEsWngqAo GvDTI+IsRWX3e1+CVQoxZo0FDhDMpqHK0AQrtTugnqrPJbU7MvO4DRwbbHMrnoCufWTp Dhm48FLujSlVZnBaRC37LtC/FKCAyuxG+FcyWib4s3KdheUuU0WLrtHB4LZ8TGdJndO1 lzdTotYGfd0MAzipUb9rkegdydAyBYVsfhMgIQHtLAzQ8FIXcynewyUBa68+k0Gmm6Zm i9nPE/ojwm7XDNrBP4jhVXUTHRQXYABDQJEQ0/x0QzY6EsQmMNNR9jJwLil8OhDRQQ7M I5QQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712168769; x=1712773569; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=csM7KIRoyk4ty3O05YoRThO//Sc70mwM60HtcOnj2hY=; b=a8zkPjS9uLq8dJ10KxwVBGEnL7uW4QZQg+wLPL0yB1eZBxjt0/hN8GCuqoKlRPpBzq zQXa2nfc5XdXAvYd0ubrsDIiKTBufdr5IGNe7e6McwY+9Y1SaDRIpcGFbHpSlL5AA6CD 9+Q1ANjzk/xQ5L3XVAShG++uhFzWF5b9QwmKr3IUey/AjeBrnaqtpWSArtOsIjtOpxYh Q/tOuW3Qr6SWAFvJbnFH39SEJ64b2o5AfeyKNiy/qysSxOe9fl4BaELwZ1mGzP3rBDBZ Ny3YjdYHKpwvuvw+z7DpwmUKLyQIcZ1QcN9LiXNgu6zfWfgOuqzCPvAJBqdP8MhOKQrl K/UQ== X-Gm-Message-State: AOJu0YwxmczOinZgaU8O8chYtJ8C+pPDPZlJFYPFnUpbviZFR754VY0Y P5QfRiDsPWmZJy+mQEQ9Z3DTYG7gekPkqJAhpr5pHe6PLtOXyRPGyJiDEjXH83oqQZIZt0VhyPc /OClDyt5x3f8JDwvbNX7lClEkp2SiNBpFCG3Z X-Google-Smtp-Source: AGHT+IFf27WZNqbZEXd5RiQDdALa1Cx9cL9T65iZ/RlkXhgQfueuepgGlMRMcnzL+SCbKl1RD2W1xklX9hOQjwek6jg= X-Received: by 2002:a17:90a:d343:b0:2a2:1eb3:6c6e with SMTP id i3-20020a17090ad34300b002a21eb36c6emr297945pjx.28.1712168768860; Wed, 03 Apr 2024 11:26:08 -0700 (PDT) MIME-Version: 1.0 References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> In-Reply-To: From: Ian Lance Taylor Date: Wed, 3 Apr 2024 11:25:56 -0700 Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Toon Moene Cc: gcc@gcc.gnu.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-9.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,USER_IN_DEF_SPF_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Wed, Apr 3, 2024 at 11:05=E2=80=AFAM Toon Moene wrote: > > Two questions arise (as far as I am concerned): > > 1. Do daemons like sshd *have* to be linked with shared libraries ? > Or could it be left to the security minded of the downstream > (binary) distributions to link it statically with known & proven > correct libraries ? I like static linking personally, but it seems like glibc has made a decision that shared linking is much preferred over static. That said my guess is that this kind of attack would have been effective on any executable built as PIE. It relied on using an IFUNC hook to adjust the PLT entry for a different function. And, of course, most executables are built as PIE these days, because that is more secure against different kinds of attacks. > 2. Is it a limitation of the Unix / Linux daemon concept that, once > such a process needs root access, it has to have root access > *always* - even when performing trivial tasks like compressing > data ? > > I recall quite well (vis-a-vis question 2) that the VMS equivalent would > drop all privileges at the start of the code, and request only those > relevant when actually needed (e.g., to open a file for reading that was > owned by [the equivalent on VMS] of root - or perform other functions > that only root could do), and then drop them immediately afterwards again= . Note that the attack really didn't have anything to do with compressing data. The library used an IFUNC to change the PLT of a different function, so it effectively took control of the code that verified the cryptographic key. The only part of the attack that involved compression was the fact that it happened to live in a compression library. And it wouldn't matter whether the code that verified the cryptographic key was run as root either; the effect of the attack was to say that the key was OK, and that sshd should execute the command, and of course that execution must be done on behalf of the requesting user, which (as I understand it) could be root. Ian