From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from moene.org (84-86-97-173.fixed.kpn.net [84.86.97.173]) by sourceware.org (Postfix) with ESMTPS id 2016F3847718 for ; Wed, 3 Apr 2024 18:04:33 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2016F3847718 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=moene.org Authentication-Results: sourceware.org; spf=none smtp.mailfrom=moene.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 2016F3847718 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=84.86.97.173 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712167475; cv=none; b=WOuGJdHmtATOwcgdQDLbdK8qlc8HeaxEn8O85jXL62N2Pvf4Y46fZByIjZjg3ez26vIscFoZPY6Z88Ro4Bv9S3HcP2GRCzdSovo08GbyWLvzmPpuU/L7YNUaQjYghOkGZCMDumXqhWIJWDZgiDYN1Vp+nd023bxmzTxmGJKK0R0= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712167475; c=relaxed/simple; bh=/kaxRcnePTg/8bZI9K8gOjgs56a0vUGC4nJ33LcRUcU=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=rbCRibwlKG1k/UxE6t2V5zARIsFvRYAl8WBx5UPQHKVa36QhiStSFaglezjSigr9iIg/BE159qXDeGherYUZ7QvaEu1KxV42dbEa2J2NB47wiA1tDapMMs7k8ZQki066k9mkYD5VYwDgRY+iN+g01KD3rTl2Uips2MLb9zmBoro= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=moene.org; s=key; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From:References: To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=33511qlLNstPLABQRiLTCF8qWfNL8OYZ8+L6+Adk+k8=; b=Gmv0LbiTKbzfv3T0UnKyFztuFZ H+RzX4qea7prp9OynL99fxsAelIH84JCLJYp5gQFSBwQlkPA53UAtqU1hy6fYwc1gi8Wj9N0W65Jn sspVQwAY8YStVvxazOSmPFDpAq0xjxOj/74iShhoP9R957iYy+6S/gHgBzn/z+oBLSL9KYN842IFG uOGAmQ2MbpvB5wXpBzXmGVwyhSAG0lJogy+/10nXBG8pRJa/tUABZJeQ2UH0ecyVZTSUp7n6g7pnP GcGoBRShny+FfHAei6n57Tozpu9tTW50+Nev5HDEqzHy1NOjUhoucfse5DRMsINiOG9AMqJPyOoEj uFN5GPYQ==; Received: from localhost ([127.0.0.1]) by moene.org with esmtp (Exim 4.97) (envelope-from ) id 1rs4yO-00000003YWu-0h0y for gcc@gcc.gnu.org; Wed, 03 Apr 2024 20:04:31 +0200 Message-ID: Date: Wed, 3 Apr 2024 20:04:31 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Sourceware mitigating and preventing the next xz-backdoor Content-Language: en-US To: gcc@gcc.gnu.org References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> From: Toon Moene Organization: Moene Computational Physics, Maartensdijk, The Netherlands In-Reply-To: <20240401150617.GF19478@gnu.wildebeest.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 4/1/24 17:06, Mark Wielaard wrote: > A big thanks to everybody working this long Easter weekend who helped > analyze the xz-backdoor and making sure the impact on Sourceware and > the hosted projects was minimal. Thanks for those efforts ! Now, I have seen two more days of thinking about this vulnerability ... but no one seem to address the following issues: A hack was made in liblzma, which, when the code was executed by a daemon that by virtue of its function, *has* to be run as root, was effective. Two questions arise (as far as I am concerned): 1. Do daemons like sshd *have* to be linked with shared libraries ? Or could it be left to the security minded of the downstream (binary) distributions to link it statically with known & proven correct libraries ? 2. Is it a limitation of the Unix / Linux daemon concept that, once such a process needs root access, it has to have root access *always* - even when performing trivial tasks like compressing data ? I recall quite well (vis-a-vis question 2) that the VMS equivalent would drop all privileges at the start of the code, and request only those relevant when actually needed (e.g., to open a file for reading that was owned by [the equivalent on VMS] of root - or perform other functions that only root could do), and then drop them immediately afterwards again. Kind regards, -- Toon Moene - e-mail: toon@moene.org - phone: +31 346 214290 Saturnushof 14, 3738 XG Maartensdijk, The Netherlands