public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/11643] ldopen failing with relative path ($ORIGIN) when a capability is set
[not found] <bug-11643-131@http.sourceware.org/bugzilla/>
@ 2014-06-30 17:55 ` fweimer at redhat dot com
0 siblings, 0 replies; 7+ messages in thread
From: fweimer at redhat dot com @ 2014-06-30 17:55 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=11643
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security-
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/11643] ldopen failing with relative path ($ORIGIN) when a capability is set
2010-05-28 16:29 [Bug libc/11643] New: " bugeaud at gmail dot com
` (4 preceding siblings ...)
2010-05-31 17:13 ` pasky at suse dot cz
@ 2010-07-28 14:07 ` bugeaud at gmail dot com
5 siblings, 0 replies; 7+ messages in thread
From: bugeaud at gmail dot com @ 2010-07-28 14:07 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From bugeaud at gmail dot com 2010-07-28 14:07 -------
Hello Petr,
Thanks for this explanation, this helps to solve the puzzle.
To me this is an obvious Bug : I can not use POSIX capabilities and the only
workaround is to give SUID !
My understanding of Capabilities was that this is something "less harmfull" than
SUID. Because, if you are SUID you don't need them, you own all the caps ! My
understanding was also that they are implemented in a secured way. Which means
that if I have given somebody a right, he can not goes any further and get
nother one "for free" and thus gaining a complete SU status. Am I correct ?
In a way, we could rephrase your points by asking :
Is POSIX capabilities secured ?
Should we use POSIX capabilities as a way of securing Linux based system and
removing as much as SU/Sticky bits headaches ?
I will try to question the ML, but keep the possibility of reopening this if
nobody clarify this security situation.
I understand that this is not a simple issue, but I would not have bugged people
with something that RFM would solve.
Cheers,
JB
--
http://sourceware.org/bugzilla/show_bug.cgi?id=11643
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/11643] ldopen failing with relative path ($ORIGIN) when a capability is set
2010-05-28 16:29 [Bug libc/11643] New: " bugeaud at gmail dot com
` (3 preceding siblings ...)
2010-05-29 9:43 ` bugeaud at gmail dot com
@ 2010-05-31 17:13 ` pasky at suse dot cz
2010-07-28 14:07 ` bugeaud at gmail dot com
5 siblings, 0 replies; 7+ messages in thread
From: pasky at suse dot cz @ 2010-05-31 17:13 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From pasky at suse dot cz 2010-05-31 17:13 -------
Roland's point is that bugzilla is for actual bugs, this is not an obvious bug
more of a discussion point; if you'd have questions about it, you should ask at
libc-help.
(Before you do that, consider that AT_SECURE is set by the kernel when the
process has more privileges than the user starting it, and thus means for the
user to plug in custom code to the process context should be limited - more
privileges does not just mean "superuser", the whole point of capabilities is
that specific privileges can be abused as well. The moment you allow $ORIGIN for
a process with a certain capability, it's just as if you'd simply give all users
on the system the capability right away.)
--
http://sourceware.org/bugzilla/show_bug.cgi?id=11643
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/11643] ldopen failing with relative path ($ORIGIN) when a capability is set
2010-05-28 16:29 [Bug libc/11643] New: " bugeaud at gmail dot com
` (2 preceding siblings ...)
2010-05-28 22:31 ` roland at gnu dot org
@ 2010-05-29 9:43 ` bugeaud at gmail dot com
2010-05-31 17:13 ` pasky at suse dot cz
2010-07-28 14:07 ` bugeaud at gmail dot com
5 siblings, 0 replies; 7+ messages in thread
From: bugeaud at gmail dot com @ 2010-05-29 9:43 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From bugeaud at gmail dot com 2010-05-29 09:43 -------
Either #4177 is obsolete, or my guess is that I will be quite difficult for anyone
to "get educated" on $ORIGIN behaviour "nominal behavior" and the expected impact
on security when wokring with POSIX capabilities.
I know "code is the reference" but having to dig in glibc internals and even
kernel (!!) for only making sure how something should behave "by design" always
taste bitter to me. So, I will have to a pickaxe and dig the Web & the ML ;)
Anyway, thanks Roland.
--
What |Removed |Added
----------------------------------------------------------------------------
BugsThisDependsOn| |4177
http://sourceware.org/bugzilla/show_bug.cgi?id=11643
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/11643] ldopen failing with relative path ($ORIGIN) when a capability is set
2010-05-28 16:29 [Bug libc/11643] New: " bugeaud at gmail dot com
2010-05-28 18:30 ` [Bug libc/11643] " roland at gnu dot org
2010-05-28 22:11 ` bugeaud at gmail dot com
@ 2010-05-28 22:31 ` roland at gnu dot org
2010-05-29 9:43 ` bugeaud at gmail dot com
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: roland at gnu dot org @ 2010-05-28 22:31 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From roland at gnu dot org 2010-05-28 22:31 -------
You seem to misunderstand the nature of security checks and privilege escalation
risks. This is not the place to get educated. Do not reopen this bug.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |INVALID
http://sourceware.org/bugzilla/show_bug.cgi?id=11643
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/11643] ldopen failing with relative path ($ORIGIN) when a capability is set
2010-05-28 16:29 [Bug libc/11643] New: " bugeaud at gmail dot com
2010-05-28 18:30 ` [Bug libc/11643] " roland at gnu dot org
@ 2010-05-28 22:11 ` bugeaud at gmail dot com
2010-05-28 22:31 ` roland at gnu dot org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: bugeaud at gmail dot com @ 2010-05-28 22:11 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From bugeaud at gmail dot com 2010-05-28 22:11 -------
My understanding is that, when AT_SECURE is set it is up to the glibc to decide
what to do with it, and as in the example given UID=EUID there is no superuser
escalation possible. So $ORIGIN chould be safe, as the only extra feature granted
on the process is set using the capabilities (file system level granted by root)
and no other capabilities can be added by the user.
In that context, this means that when AT_SECURE is set glibc should perform its
own check. Something like : if EUID==UID then grantOriginEscaping else
forbidOriginEscaping
--
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
http://sourceware.org/bugzilla/show_bug.cgi?id=11643
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/11643] ldopen failing with relative path ($ORIGIN) when a capability is set
2010-05-28 16:29 [Bug libc/11643] New: " bugeaud at gmail dot com
@ 2010-05-28 18:30 ` roland at gnu dot org
2010-05-28 22:11 ` bugeaud at gmail dot com
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: roland at gnu dot org @ 2010-05-28 18:30 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From roland at gnu dot org 2010-05-28 18:29 -------
This is not a bug. It's a security feature. $ORIGIN can be abused to load
different libraries into the process and effect a privilege escalation. So,
like LD_LIBRARY_PATH, it is disabled in a process that is setuid or similarly
privileged.
The Linux kernel decides what constitutes "setuid-like" by setting the AT_SECURE
parameter at exec time. libc just follows that. If you want the rules for that
changed, take it up with the kernel people.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
http://sourceware.org/bugzilla/show_bug.cgi?id=11643
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-06-30 17:55 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-11643-131@http.sourceware.org/bugzilla/>
2014-06-30 17:55 ` [Bug libc/11643] ldopen failing with relative path ($ORIGIN) when a capability is set fweimer at redhat dot com
2010-05-28 16:29 [Bug libc/11643] New: " bugeaud at gmail dot com
2010-05-28 18:30 ` [Bug libc/11643] " roland at gnu dot org
2010-05-28 22:11 ` bugeaud at gmail dot com
2010-05-28 22:31 ` roland at gnu dot org
2010-05-29 9:43 ` bugeaud at gmail dot com
2010-05-31 17:13 ` pasky at suse dot cz
2010-07-28 14:07 ` bugeaud at gmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).