From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from resdmta-a2p-641405.sys.comcast.net (resdmta-a2p-641405.sys.comcast.net [IPv6:2001:558:fd01:2bb4::e]) by sourceware.org (Postfix) with ESMTPS id 262023847718 for ; Wed, 3 Apr 2024 18:24:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 262023847718 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=comcast.net Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=comcast.net ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 262023847718 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:558:fd01:2bb4::e ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712168648; cv=none; b=a37twCdEN7WWNYtMd0BSaLMTX9EsRAUw00uJxAsoz+RnsAXbGCBK2FaP0i5ETDhUKKuHs+bWnYnIyzephA2SpIae5NQAbHdn38u5HYDPccSpeBJaKmu4T5/YJN9yPYf0O+EkaPxo/pakFLFYgGS3+pYQ5sjMpU6/3RQ/g1RbS44= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712168648; c=relaxed/simple; bh=ECTzQtmj265rjrzJLYQmWZDMOLe3npPknDbceQfeXpI=; h=DKIM-Signature:Mime-Version:Subject:From:Date:Message-Id:To; b=mEw6zOJFokpknZV9exIZf3Z1ARaDSI5LUVyJwu9WQTZLZXFXpP6eU3xbhf7Y/1XMCw4pp73TBdKefcuuDYqyeJZLqTbRUVaYCQWXY/Mfi9OYWrp6U1qd87bYwOu4/KKqYQxLXIi774kZA2/jZFY/BMi5oTJu+sVWikdR0N0iVek= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from resomta-a2p-646965.sys.comcast.net ([96.103.145.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resdmta-a2p-641405.sys.comcast.net with ESMTPS id s0nRrsFDnBtpSs5HJr3v3R; Wed, 03 Apr 2024 18:24:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1712168645; bh=4GTOFBrkKLAyEtY0hGGTsR58WpaQG3IMFQi2oUUgo6I=; h=Received:Received:Content-Type:Mime-Version:Subject:From:Date: Message-Id:To:Xfinity-Spam-Result; b=nNTMTzMEgzS6ZqADaDvvcfMtlrKjvQScbl89ZaDGK85sX2buRqoDuEeNQnNeY0Xj8 9tdVM/CX/N7thjW65pwfazU4+eZTAntA/8XhJXRTHKR3x83kz3d3+M2u38MIwhJwMH 2c1+inpntu33ySxIgBmdYCRKR8NA4EPncI/kh/ghxC6mtKHpRdB+WftPrPLgdUPHdB BQXTzmSnbqCrKky/oH2SvirEtHv80k+Upo9Kbd2oDkPPBFTlX9LB4ptHCoGZ7yz2wX D2qhagXGoObcp6oJW2OxQMcwj978skTN1CAOPIaDyOePRX6eMvsRi1PQ+9OyatWDWy wrTWPLl5PkwqA== Received: from smtpclient.apple ([73.60.223.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resomta-a2p-646965.sys.comcast.net with ESMTPSA id s5HHrIGyeNzoVs5HIrxc21; Wed, 03 Apr 2024 18:24:05 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\)) Subject: Re: Sourceware mitigating and preventing the next xz-backdoor From: Paul Koning In-Reply-To: Date: Wed, 3 Apr 2024 14:24:02 -0400 Cc: gcc@gcc.gnu.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> To: Toon Moene X-Mailer: Apple Mail (2.3696.120.41.1.8) X-CMAE-Envelope: MS4xfCXhUqqrjlGko+f8lqxqo4u2V5EwX2ixqgJVwQri5PiEmeSZNmdgoNiLBC48IbWjriyzSfI5RRNLv1VMCU1QyNDGLnzqGFzpajHDqGRQ4YXt6pybL/UT zlz5sfdhZ/Km0BczqpX6d2RbaEqMBVmMXp9o9VDrsEmlc0xV2uIOfndSBvGo0XA6Ntgu9AuTtPYC0Nt9l7gQff0uXLE56C2k+JE= X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: > On Apr 3, 2024, at 2:04 PM, Toon Moene wrote: >=20 > On 4/1/24 17:06, Mark Wielaard wrote: >=20 >> A big thanks to everybody working this long Easter weekend who helped >> analyze the xz-backdoor and making sure the impact on Sourceware and >> the hosted projects was minimal. >=20 > Thanks for those efforts ! >=20 > Now, I have seen two more days of thinking about this vulnerability = ... but no one seem to address the following issues: >=20 > A hack was made in liblzma, which, when the code was executed by a = daemon that by virtue of its function, *has* to be run as root, was = effective. >=20 > Two questions arise (as far as I am concerned): >=20 > 1. Do daemons like sshd *have* to be linked with shared libraries ? > Or could it be left to the security minded of the downstream > (binary) distributions to link it statically with known & proven > correct libraries ? I would add: should IFUNC be deleted? Or alternatively, should it be = strictly limited only to non-security-sensitive applications when not = running as root? > 2. Is it a limitation of the Unix / Linux daemon concept that, once > such a process needs root access, it has to have root access > *always* - even when performing trivial tasks like compressing > data ? Clearly not, given the existence of the "seteuid" syscall. > I recall quite well (vis-a-vis question 2) that the VMS equivalent = would drop all privileges at the start of the code, and request only = those relevant when actually needed (e.g., to open a file for reading = that was owned by [the equivalent on VMS] of root - or perform other = functions that only root could do), and then drop them immediately = afterwards again. Yes, and with additional effort all "root" type applications could be = written that way. paul