Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
BSD Operating Systems

OpenBSD Gains Privilege Elevation 314

ocipio writes "OpenBSD's systrace now has privilege elevation support. This means binaries no longer need to be suid or sgid an longer. Applications can be executed completely unprivileged. Systrace raises the privileges for a single system call depending on the configured policy."
This discussion has been archived. No new comments can be posted.

OpenBSD Gains Privilege Elevation

Comments Filter:
  • This sounds like a serious one, I hope they fix it faster than Microsoft fixed their's [entercept.com]
    • Re:Serious! (Score:3, Informative)

      by FordPrfct ( 159271 )
      I think you misunderstand.

      The message referenced indicates that this is a security feature, which will allow the individual system calls to be executed with escalated privileges. This is an advantage in that you do not need to have the entire binary executed with the escalated privileges, and so reducing the number of potential privilege escalation attacks.
  • 2 things (Score:2, Interesting)

    by vga_init ( 589198 )
    BSD is not dead! It's code lives on in every modern operating system today, most noteabley MacOS X. Go BSD! :)

    ...and isn't being able to run binaries unpriviledged a security hole, or am I just not getting it?

    • that's 3 things (Score:2, Insightful)

      by Anonymous Coward
      ...and isn't being able to run binaries unpriviledged a security hole, or am I just not getting it?

      Yes
    • Re:2 things (Score:5, Informative)

      by kamakazi ( 74641 ) on Thursday October 17, 2002 @11:23PM (#4476176)
      There are things that must run as root to work. The common way to allow normal users to do these things was to make them setuid, which meant that the application always runs as its owner, no matter who launched it. Yes, this can be a security hole if not configured wisely. Stuff that requires configuring network interfaces is a good example. This method allows an application to be run as joe_user, but still access privileged system calls, depending on configuration. It is less of a security hole than what is being done now.
  • Doesn't any READ ? (Score:4, Informative)

    by XTerm89D ( 609102 ) on Thursday October 17, 2002 @11:19PM (#4476152)
    It's not a bug, it's a feature !


    For example the Apache webserver, it needs to be started as root, in order to bind to port 80. Now this is no longer required, since a call to the new function will allow it to bind to 80 as an regular user, provided that the syscall is configged to allow that.

    Same goes for X, which now no longer needs to be run SUID.

    It probably won't be long before these mechanism is common good, but I wonder what happens if someone finds an exploit in THAT ?
    • by PotPieMan ( 54815 ) on Thursday October 17, 2002 @11:29PM (#4476203)
      Same goes for X, which now no longer needs to be run SUID.

      Does this mean X will run slightly slower compared with an suid installation? It seems like there would be more code running behind each syscall to check the configured policy, but it's probably not a significant amount - at least, not for current systems. I'm merely curious.
      • by Marillion ( 33728 ) <(ericbardes) (at) (gmail.com)> on Friday October 18, 2002 @12:00AM (#4476306)
        Under the UID 0 approach, all calls needed to do something. I haven't peeked at the code, but if I were to solve the problem, I would frontload the overhead of the syscall policy evaluation to the exec() call, store the results in a bitmap field. From there, it's bit math. A if (priv & PRIV_SOMECALL) has no more overhead than if (uid==0)
    • by lukew ( 528994 ) <woodzy@gmail.com> on Friday October 18, 2002 @01:50AM (#4476681)
      A little offtopic, but a great security approach that I haven't seen used to often is to port-forward port 80 to a non priviledged port Apache is running on (Say, 8080). Completely removes the need for root privs.
      • by FroMan ( 111520 )

        This works for httpd fairly well. However, consider procmail. It needs to be able to write to any users mail file. So for certain servers it works well. For certain ones it does not. Others that might have problems would be crond also. If crond cannot switch to the proper user when executing it will not work either.


        I don't see how this buys too much though. It doesn't explain the configuration policy. But I suppose if you can allow a certain app with the full path and maybe a checksum on the binary, then set the permissions to the app. like this: /usr/bin/procmail checksum +setuid() +setgid()

        That might work. But it seems easier to just say you will allow procmail to run setuid root. It keeps the idea simpler and does not require that the administrator know exactly what syscalls procmail makes.


        In summary, this might be a cool idea, but I think expecting a sysadmin to know exactly what syscalls an application needs to have for permissions is a bit much. Sure, you may claim that the admin should know these things, but do you really think an admin reads/understands all the source code that goes onto his system? I highly doubt it.

  • by WolfWithoutAClause ( 162946 ) on Thursday October 17, 2002 @11:21PM (#4476161) Homepage
    I've always hated the all or nothing priviledges that Unix uses.

    This sounds similar to a scheme that Java supports on some platforms (netscape?); I believe there is a setPrivilege() call.

    I'd like to see more of this kind of thing- restrictions to the file space that 'parts' of programs can access should be made, as well as I/O and networking restrictions. Is an email worm going to happen if the OS stops the macros from sending mail? Why should it if somebody else wrote the macro? There's a clear need for better granularity of security.

    We've seen how useful personal filewalls are for network interfaces- this needs to be extended to the other services that the OS supports.

    • by jhouserizer ( 616566 ) on Thursday October 17, 2002 @11:44PM (#4476249) Homepage

      Actually, this type of security is pervasive throughout the _standard_ Java libraries ... not just tied to netscape or any other implementation.

      Java's one of the few programming languages that has security built in from the ground up.

      And yes, this new BSD feature is VERY similar to Java's declaritive security mechanisms.

      (Please let's not start a war of "Java is cool vs. Java sucks", I wanted to provide the above!)
  • Interesting, but ... (Score:4, Interesting)

    by yeOldeSkeptic ( 547343 ) on Thursday October 17, 2002 @11:31PM (#4476209)

    how is this better than setuid, setgid? At least with setuid and setgid, control over system privileges is given on a per-application basis. With this per-system call method, the kernel somehow has to track each system call made by an application and grant or refuse privileges on some basis. (On what basis is unclear from the article.) This seems like a lot of data for a kernel to keep track of, considering the number of system calls a typical unix kernel has.

    Though I believe improvements to setuid, setgid is needed, per system call access privileges don't seem to be the right approach. I would much rather go with chroot jails for each application.

    • by alannon ( 54117 ) on Thursday October 17, 2002 @11:50PM (#4476271)
      chroot jails are almost completely unrelated to system-call security, unless the system call is to the file-system. chroot simply allows you to change the root of the file system so that the application cannot access part of the file-system beneath it. If the process is running as root, this helps nothing, since there are many ways of accessing the complete file-system bypassing the normal means if you are root.
      • by Fweeky ( 41046 ) on Friday October 18, 2002 @07:22AM (#4477471) Homepage
        Blegh, will people please stop using "chroot jail" when they really just mean "chroot"?

        This is jail [freebsd.org] - a syscall which puts a process inside it's own process list, user list, IP and root directory, while limiting various syscalls which might make it possible (or at least easy) to escape the jail.

        This is chroot [freebsd.org] - a syscall which puts a process inside it's own root directory. As you said, this is almost completely unrelated to system-call security.

        chroot is not jail, jail is not (merely) chroot. Calling chroot "chroot jail" actually makes it *less* clear what you're talking about.
    • by Carnage4Life ( 106069 ) on Thursday October 17, 2002 @11:52PM (#4476280) Homepage Journal
      how is this better than setuid, setgid? At least with setuid and setgid, control over system privileges is given on a per-application basis.

      Which do you think is more secure? Given a choice between having an application run as root [with all the attendant problems that this entails especially if a security problem is found in the app] versus giving the application minimal privileges [specifically all it needs to get the job done and nothing more], how could anyone think the setuid and setgid approach is better.

      The difference between both approaches is the difference between a sledge hammer and a surgeon's scalpel. In fact the only downside to the minimal privileges approach, is performance and efficiency. In this day and age where one can buy half a gig of memory for around $100 and 3.0 GHz processors are on the horizon it really is time for us to adopt techniques for building secure software that have been known for decades but unimplemented due to performance/efficiency concerns.
      • by yeOldeSkeptic ( 547343 ) on Friday October 18, 2002 @12:53AM (#4476493)
        Which do you think is more secure? Given a choice between having an application run as root [with all the attendant problems that this entails especially if a security problem is found in the app] versus giving the application minimal privileges [specifically all it needs to get the job done and nothing more], how could anyone think the setuid and setgid approach is better.

        setuid and setgid are not perfect and the recent spate of Linux vulnerabilities certainly speaks of the need for improvements in this area. My point is that doing away with setuid and setgid and replacing it with per system call access privileges does not seem to be the right way to increase security.

        With Posix (and Linux, which is Posix compliant) it is already possible for an application to drop it's privileges. This solves the problem of an application running its entire life as root. With the posix compliant call to setuid, an application can be setuid root only for as long as it needs to access privileged resources and can drop those privileges once it no longer needs to be root.

        However, the above article talks about an application elevating its privileges and for the kernel to grant that privilege on a system call basis. The article is short on the details but elevating the privileges of an application is certainly a very dangerous process. If an application asks the kernel to elevate its privileges, how is the kernel to decide if it should grant that request? My mind-set tells me that it should check the effective user id of the running process but then isn't this setuid and setgid again? If the kernel will grant this request by checking a list of applications that is allowed to do this, then how is this different from a kernel checking if an application is owned by root?

        I have stated my preferences for chroot jails and for a good reason. Once a system is cracked, the intruder can do with the filesystem as much as he pleases. At least with chroot jails, the intruder is restricted to the chroot directory and cleaning up the mess is easier. Yes, I know this is not a cure but I think the idea of jailing applications to a particular environment is a good idea.

        I am an old hand so my mind has petrified with an imprint of the old ways of doing things. I could be wrong, but until I am fully convinced, I will be among the voices that express caution at the idea of throwing away setuid and setgid.

        Just my half cent.

        • There is no need to speculate in how it works when you can just go to the webpage and have a look yourself. http://www.citi.umich.edu/u/provos/systrace/ [umich.edu]

        • by Carnage4Life ( 106069 ) on Friday October 18, 2002 @02:11AM (#4476755) Homepage Journal
          You are working backwards. Looking at it objectively, it is clear that a system where applications have to become superuser to perform certain tasks but can relinquish this authority is inferior to a system where superuser priveleges are never given to a process.

          Your position is understandable since this is how the Unix security model has worked for decades even though better mechanisms have been proposed but rarely caught on. For example, look at POSIX 1.E [xpilot.org] which is almost 2 decades for an example of a better model for handling systems permissions than the traditional Unix model. Recently there has been work done on FreeBSD POSIX 1.E capabilities [watson.org] as well as on the Linux front [dwheeler.com]. This is a good indication that more and more people are disatisfied with the deficiencies of the Unix security model and its reliance on a "superuser" account for so many essential tasks.

          Lastly I don't think any Linux distro has ever been certified as POSIX compliant although many feel that doing so wouldn't be difficult.
        • by RAMMS+EIN ( 578166 ) on Friday October 18, 2002 @02:20AM (#4476779) Homepage Journal
          ``With the posix compliant call to setuid, an application can be setuid root only for as long as it needs to access privileged resources and can drop those privileges once it no longer needs to be root.''
          This means that the application is allowed to execute any code as root, as long as it does setuid(0) first. Easy enough to sneak some malicious code in...

          ``If the kernel will grant this request by checking a list of applications that is allowed to do this, then how is this different from a kernel checking if an application is owned by root?''
          It's _very_ different. What this new system does is selectively allowing _some_ system calls that have traditionally required root priviliges to be executed by less priviliged users. For example, a webserver is allowed to bind to port 80, and X is allowed access to graphics hardware (note that svgalib has an IMHO elegant solution for this using kernel modules). Neither the webserver nor X need root access to the filesystem, so they aren't granted this under the new scheme. With setuid, there is no choice - granting access to ports 1023 requires root privileges, which can also be used to read and modify any file on the system.

          setuid is flawed and needed revision. If OpenBSD gets it right remains to be seen, but it's good they're trying. And since the OpenBSD dev team and its users consists in large part of hard-core security freaks, I have faitht that this is going to be a win. Congratulations on yet another great innovation from the OpenBSD folks!

          ---
          After months of research, they found the solution. Typewriters. They are intuitive to use, free of security issues, not hampered by unstable software, and you never have to wait for the printing queue again.
    • by Soko ( 17987 ) on Friday October 18, 2002 @12:00AM (#4476309) Homepage
      Yes, chroot jails are effective, but there are times when data - possibly sensitive data - has to be kept within the jail, or the daemon needs access to something outside the jail. Chrooting a secure HTTP server that is then compromised by a buffer overflow for example, would expose the files and databases that the HTTP daemon has access to. That is more easily a "get-out-of-jail-free" card than locking down single APIs.

      I would put forth that granting setuid via this method is more effective at securing systems, since you can more easily make sure that the API calls that need privs are written well and bullet proof. Minimal exposure to security risks is what we're after, right? So, this minimises the time that apps can expose themselves to major compromises, even more than a chroot jail. Both together means even better security.

      BTW, ACLs aren't much of a strain if done well - look at NTFS 5.1, which IMHO has ACLs done very well indeed.

      Soko
    • by jolan ( 187075 )
      Setuid / setgid requires the program to do all it's privileged dirty work initially and then drop privileges to ensure a reasonable level of security.

      This new feature in systrace reverses the whole process. Now daemons can run totally unprivileged and systrace can escalate privileges as needed for only the calls that need it.

      It's not as taxing as you think it is. Yes, there is slow down, but for the huge blanket of security it adds, I think the hit in speed is offset by the benefits.

      Chroot jails for each application isn't necessarily feasible. Take Apache for example.

      Apache in OpenBSD 3.2 runs in a chroot jail and even the parent process is run as www:www.
      Some of the apache modules in OpenBSD ports were modified to be chroot-aware. Some are hopeless.

      Properly configured Systrace policies can make the aforementioned broken modules work again and reduces the need for chroot.
  • Go OpenBSD! (Score:4, Insightful)

    by snorggle ( 614046 ) on Thursday October 17, 2002 @11:36PM (#4476223)

    Of course, I am biased as I run this fun little operating system on a produciton machine. 20 days away from one year uptime *ahem*. Ok, maybe that's not that great but it works well for me.

    I am glad to see that the team has forged ahead and taken a step that UNIX style operating systems have needed for quite some time. This is a wonderful step in the evoluction of security that ALL of *BSD/Linux/etc. should implement without delay. At least from an administrator's perspective, I think this should be the norm.

    For those that are unfamiliar with OpenBSD, it is a derivative of BSD that focuses its efforts onto creating a secure system without bells and whistles.

    As always this is my opinion..

    • by perry ( 7046 ) on Friday October 18, 2002 @12:33AM (#4476425)
      I hate to be a bitch here, but the feature was added to NetBSD first. I don't mean to imply NetBSD is better than OpenBSD, but maybe some equal billing would have been in order? And by the way, what happened to crediting the author of the code? The work was all done by Niels Provos, who's a damn good security guy.
    • Re:Go OpenBSD! (Score:2, Insightful)

      by lbruno ( 114856 )
      I run this fun little operating system on a produciton machine. 20 days away from one year uptime

      PLEASE UPDATE YOUR SYSTEM, DAMMIT! [openbsd.org]

  • by LordOfYourPants ( 145342 ) on Thursday October 17, 2002 @11:58PM (#4476300)
    If a flaw is found in the syscall lookups (ie: an app can make a sequence of syscalls to give itself priveledged access anyway) doesn't this mean literally any executable is capable of ruining your machine as opposed to only the suid root ones on any other *nix OS?

    Wouldn't a combination of both be better?
    • by perry ( 7046 ) on Friday October 18, 2002 @01:46AM (#4476668)
      What you're saying is "if the mechanism itself has a horrible bug might that let you break security?" Well, of course.

      However, if there is some sequence of syscalls that lets you, say, get root, well, you have root, and the game is over. What systrace means is, if you have a system with a reasonably bug free set of system calls, you can reduce or eliminate the vulnerability that misbehaving root privileged programs might cause.

      As an example, is really far better for, say, your ntpd to only have the ability to run the normally root prived ntp_adjtime call rather than to be able to do anything root could do. Systrace also lets you give up the ability to run calls like fork and exec that a given program may not need (ntpd does not need them). That way, if someone remotely breaks ntpd, well, they don't own your machine -- at best they can crash your ntpd. They can't fork a new program (a typical exploit would fork a privileged /bin/sh), and they have no access to "normal" root prived calls.
      • by evilviper ( 135110 ) on Friday October 18, 2002 @05:23AM (#4477184) Journal
        That way, if someone remotely breaks ntpd, well, they don't own your machine -- at best they can crash your ntpd.

        A big bad hacker broke into my OpenBSD box and changed the time... THE HEARTLESS BASTARD!
        • This could cause a serious denial-of-service by breaking distributed authentication requiring synchronised clocks, or it could cause information leakage by triggering at-jobs scheduled for the future whose existence would not otherwise be known.
        • Actually it can cause big issues. Many crypto systems rely on knowing what the tme is, so that certificates can be ignored if they are out of date. So if you spend 5 years cracking a certificate, the certs are probably then out of date, but then you hack the ntpd server and suddenly they work again, and ssh succumbing is moments away.
  • Logo! (Score:3, Funny)

    by snorggle ( 614046 ) on Friday October 18, 2002 @12:00AM (#4476310)
    What?!? No blowfish logo? Not that the little devil doesn't work or anything, but I'm used to seeing the blowfish associated with OpenBSD.

    And you have to admit it would bring nice little change to the front page, and maybe a few more "WTF is this?!?" posts. Especially if it was the sub logo from here [openbsd.org] :-)

    Yes... I'm a fanatic, now go away you insensitive clod.

  • Only system calls? (Score:5, Informative)

    by Virtex ( 2914 ) on Friday October 18, 2002 @12:16AM (#4476367)
    This sounds similar to an idea I've floated around to a few people, except that my idea worked on library functions. The idea was to allow setuid and setgid on individual functions instead of entire programs. When you called such a function, it would run with the elevated privileges determined by the ownership of the library file itself, and when it returned, permissions would go back to what they were previously.

    The one issue I had with this was what to do if a setuid function called another function. Should the privileges be passed onto the extra function? At first thought, it seems like it should, but consider this example:

    I have a library called libprivfunctions.so. Within this library is a function to open a privileged file:

    FILE *open_priv_file(void) {
    return fopen("/etc/priv.conf", "r");
    }

    We'll say this function is set to run as a setuid root (maybe /etc/priv.conf can only be read by root). An attacker could execute a

    export LD_PRELOAD=/home/attacker/libc.so

    before running a program linked against libprivfunctions.so. This version of libc.so would have a fopen that creates a root shell. When open_priv_file() is called, it will call the falsified fopen which, if run as root, will breach the security of the system. Maybe the easiest way around this would be to disallow any LD* variables when running programs linked against setuid/setgid functions (similar to the way setuid/setgid progams work). But the logic behind this gets complicated (you don't know if you're linking against setuid functions until after you've linked. But what if that outcome was caused by one of the LD* variables?).

    I would say that allowing elevated privileges to just system calls is a good way around this problem. Hats off to OpenBSD for another sound decision.
  • by Ulmo ( 64309 ) on Friday October 18, 2002 @12:25AM (#4476404)
    This is the first I've heard of Systrace privilege elevation. However, it seems to address what has historically been one of the greatest causes of security problems in Unix.

    If you look at the major vulnerabilities we've seen in Unix operating systems and software, they usually fall into one of three categories:

    1) Bugs in the kernel.

    2) Bugs in servers running with elevated privileges (often root).

    3) Bugs in suid binaries (often suid root).

    Privilege elevation could significantly reduce the problems caused by 2 and 3. It's by no means a silver bullet that's going to eliminate vulnerabilities, but it could produce a huge improvement.

    Consider how difficult it is to write a secure suid root binary. Not only do you have to be extremely careful about your own code, you have to worry about possible bugs in any of the libraries you link with. Some people (e.g. D. J. Bernstein) seem to have the knack of producing secure code first time, but even a good programmer who is always thinking about security can make the occasional mistake.

    With privilege elevation, such mistakes are no longer security disasters that grant complete root access to an attacker. The most an attacker can do is make the few privileged syscalls that are permitted by the systrace policy.
  • by dwheeler ( 321049 ) on Friday October 18, 2002 @12:27AM (#4476409) Homepage Journal
    First, an explanation for those who wonder what this means: this addition is a method for gaining finer control over exactly what privileges a trusted program has. If the method is actually used by the system, the system could be more resistant to attack. That's because even if an attacker took control over a privileged (trusted) program, the privileges of that program would be more limited.

    Somewhat similar capabilities also exist for Linux. The Linux Security Module (LSM) effort adds the ability to insert an additional access control mechanism into a Linux kernel (without a recompile). You can then at run-time insert a modules to add finer control over privileges. Several modules exist, such as SELinux. This approach makes it easier to experiment or create your own access control policy. There are various LSM modules already available; none of them are exactly like this, but most provide finer-grain control. There are definitely technical differences, too, but describing those differences would take up WAY too much space here.

    There are definitely situations where finer control over privileges is very desirable. Which way is the best way is very much in doubt. The good thing about finer control is that you can give a program only the privileges it needs. The bad thing about finer control is that it takes more work to set up. "Learning" from program runs helps, but it doesn't fully solve the problem - there are usually many conditions that aren't triggered by simple runs yet can happen in real life.

    Anyway, this kind of capability is a good thing. It will be interesting to see what happens over the years as people try out various ways to add finer control - the trick will be to add finer control while still keeping the system easy to administrate. It's not even clear that there is a single solution.

    • The bad thing about finer control is that it takes more work to set up. "Learning" from program runs helps, but it doesn't fully solve the problem - there are usually many conditions that aren't triggered by simple runs yet can happen in real life.
      It would seem to me, given source code, one could easily determine each and every syscall the program could possibly make. Perhaps programs could progamatically drop those certain priveledges it doesn't need, just like now how apache will drop from uid root after binding to port 80? The "fork" privelege, once dropped lets say, can never be reaquired. It would be really nice in an auditing sense, to be able to look at a process and see the list of priveledged syscalls.
  • by perry ( 7046 ) on Friday October 18, 2002 @12:29AM (#4476412)
    I really hate to say it, but:

    1) The story in no way credits Niels Provos, the author of systrace.

    2) The story does not mention that this feature was added to NetBSD first.

    I don't mean to claim "NetBSD is better" or anything, but at least say "OpenBSD and NetBSD" or "NetBSD and OpenBSD" or something, not "OpenBSD". Also, PLEASE credit the guy that did the work, eh?
  • Moderation? (Score:5, Funny)

    by VTg33k ( 605268 ) on Friday October 18, 2002 @12:35AM (#4476432)
    "This means binaries no longer need to be suid or sgid an longer."

    Doesn't Slashdot have any moderators who speak English? I'll gladly volunteer to read over the stories before you guys post them to the main page if it'll rid us of these ridiculous grammar, spelling, and style absurdities.
  • by jolan ( 187075 ) on Friday October 18, 2002 @12:40AM (#4476452)
    Niels Provos was an OpenBSD developer until recently. He's the same guy who did the PrivSep code for OpenSSH.

    It actually appeared in NetBSD first.

    http://mail-index.netbsd.org/current-users/2002/ 10 /11/0039.html
  • by fbsderr0r ( 601444 ) on Friday October 18, 2002 @01:00AM (#4476519)
    ACL's, MAC's and more http://www.trustedbsd.org/
  • What is the policy? (Score:3, Interesting)

    by njchick ( 611256 ) on Friday October 18, 2002 @01:13AM (#4476554) Journal
    Sorry for stupid question, but I cannot find any explanation of how the policy is configured. What should the program do to authenticate with the kernel and get the permissions defined in the policy?

    Using the executable file of the process would be dangerous because the attacker could use compromized shared libraries. Any passwords would require changes in the software (i.e. you'll have to recompile apache so that it could authenticate).

    The only thing I can think of is a token in the process environment that can only be set by root (maybe an additional group ID). So apache would still have to be run by a program with root permissions (init script) to be able to listen to port 80.

    • by perry ( 7046 ) on Friday October 18, 2002 @01:32AM (#4476610)
      The method employed is somewhat fiendish. A systraced program is "mastered" by a systrace daemon that gets information on all its system call activities and either thumbs up or thumbs down particular requests. (For performance reasons, things get fast pathed in many instances so the upcall doesn't have to happen.)

      Because of the way that this works, via a userland policy engine, the systrace daemon (which is user code) can use any method it likes to determine how to implement the policy. The way it is currently implemented, the systrace program reads a policy file associated with particular programs and makes decisions that way.

      There is no need for a program to authenticate to the kernel because the program itself has no knowledge of the policy and cannot evade it in any reasonable way.

      The mechanisms involved are still evolving a bit, but Niels has come up with a bunch of really good tricks here. I don't know that systrace is a finished mechanism as much as a toolkit for building new and more interesting mechanisms that are in the tradition of ACLs but much more flexible.
    • IIRC, you run the program through once, and the kernel stores all the priveleged calls in the policy file. This defines the set of allowed operations. During subsequent runs, the kernel checks this file to see if each priveleged operation is allowed.
  • Real security (Score:2, Interesting)

    by octogen ( 540500 )
    This is the first real kernel-level security feature in OpenBSD.

    Earlier versions of OpenBSD had only application-level security (secure applications, but running as root, and therefore no effective OS-level security below the application-level).

    Granting certain privileges to an application instead of all-powerful superuser-privileges is IMO the most-important security feature of a secure operating system - this is a standard feature on every trusted unix system, and actually i believe it should be a standard feature on every unix platform.
  • by g4dget ( 579145 ) on Friday October 18, 2002 @01:43AM (#4476658)
    UNIX has evolved for nearly 30 years around the idea that processes either have root privileges or they have user privileges. It's a sound and simple system. If, against that background, you add support for giving processes individual privileges, you risk doing more harm than good. Existing programs will assume that if a process demonstrates one privilege that traditionally only a root process posesses, then it must also have all the others. So, if you give a process specific privileges, you risk that it can acquire more because other processes will give it more trust than it deserves.

    In fact, even for OSes that start out with lots of different privileges, it's far from clear that it helps--programmers seem to have trouble understanding all the implications of all the different bits. For example, VMS, with its much-vaunted mess of security bits, ended up succumbing to a domino effect: you get one bit, then using that, the next one, then one more, until you can do whatever you want. The trouble is that when you tell a programmer that his code runs with "restore from backup privilege" (an example from a privilege happy OS of yore), they assume that's all they get and don't even consider all the other weird implications that that privilege may have. And who can blame them? Who can keep all the weird effects and interactions of dozens of different privileges in their head?

    The simple UNIX privilege system is good: when programmers write code that runs as root, they know exactly what that code can do: everything. And they try to take appropriate care.

    • by perry ( 7046 ) on Friday October 18, 2002 @01:53AM (#4476694)
      Your comment is rather vague. Let me be more specific.

      Lets say that you have an smtp daemon. With systrace, I can very easily elevate it to be able to open port 25 on the system, and restrict it so that it can't fork or exec any programs and can do no i/o other than writing to files in /var/mail.

      Sure, you can theorize about how evil and complicated this is, but the truth is in one fell swoop I've made it fiendishly difficult to exploit the smtp daemon -- and in most cases I don't even need to have the daemon be the least bit aware of how systrace works. Once I've done this, I can't make the smtp daemon fork a /bin/sh for me, I can't make it write to random files on the system, indeed, I can barely write a remote exploit for it at all. Add in a little chroot and other magic and suddenly you have a very hardened program.

      Most of your comment seems to consist of platitudes about simplicity, not any actual experience with using systrace in a practical system. It very much adds security to the way systems run, and it is completely in the spirit of most modern security aware code, like the Postfix mailer or privilege seperated ssh.
    • Assumptions (Score:3, Interesting)

      by nuggz ( 69912 )
      Existing programs will assume that if a process demonstrates one privilege that traditionally only a root process posesses, then it must also have all the others

      Assumptions cause trouble, lets assume that this buffer is "more than big enough for anything someone will put in there", that worked out REALY well didn't it?

      A proper program should check for each individual requirement, and act appropriately. Bad code has lots of assumptions, an assumption is a bug that hasn't been found yet.

      Most of my code isn't proper, I'm lazy.
  • URLs would help (Score:5, Informative)

    by Anonymous Coward on Friday October 18, 2002 @02:22AM (#4476784)
    The URL describing this stuff is

    http://www.citi.umich.edu/u/provos/systrace/
  • by OoSync ( 444928 ) <.wellsed. .at. .gmail.com.> on Friday October 18, 2002 @02:46AM (#4476837)
    I've used ssh to rid myself of things like "su -l" and "sudo" before. I think the basic idea can be used to get rid of necessary suid/sgid programs with elevated permissions. The basic theory is each application is actually called by a wrapper using ssh. Public keys from the application's user or group (root, apache, wheel, etc.) are provided to a user with genuine need to access these apps and placed in the ~/.ssh/authorized_keys(2) file. Then the user's public key is provided to the application user's ~/.ssh/authorized_keys(2) file. When the user calls the application, they are allowed access using RSA key authentication. No need for blind SUID/SGUID apps as only those users who need to use it have the permission. Furthermore, these permissions can be easily revoked by a.)changing the app's private/public keypair without providing them to the user, or b) commenting/deleting the user from the authorized file. Additionally, with ssh-agent, keychain, and authorization forwarding, these priveledges can be locked down tight. I'm not sure if openssh authorization forwarding will allow the authorization to be okayed from a remote machine. Just a random thought that seems appropriate here. Let me know what you think.
    --Wes
    • All good and well (and I use it at work to perform tasks as the Oracle user, especially those that have X clients), but it doesn't solve the problem that you still have to give root access to certain programs to perform certain functions. There are set[ug]id-specific attacks this can mitigate, but quite frankly, you're not gaining much if your target program is insecurely written.

  • It seems like a good idea, but since I am no Unix expert, could you please someone explain why, for example, accessing port 80 (web access) needs root access ?
    • by Observer ( 91365 ) on Friday October 18, 2002 @05:14AM (#4477164)
      ... why, for example, accessing port 80 (web access) needs root access ?
      Basically, because ports used for 'well-known' services, like port 80, shouldn't be readily available to arbitary programs, because that would allow a mischievously constructed program to bind to such a port and start serving inapproriate results (or, indeed, just do nothing). The standard IP stack implementations reserve port numbers under 1000 for these well-known services, and typically require that a process attempting to bind to them has some sort of (OS-dependent) privilege. Unfortunately, under classic Unix, 'privileged' equates to root access - it's an all or nothing thing.

      Separating the various functions whose use should require privileges into catagories that can be granted individually (or in groups) to different userids is definitely a Good Thing: it probably won't eliminate the need for a super-user and a few godlike system maintainance users, but it allows the system administrators to keep the really dangerous 'own all data' and 'devour all resources' functions to be kept under tighter control than the all-or-nothing approach. (Arguably, you shouldn't even consider handling sensitive information on a platform that cannot administer privileges in a reasonably fine-grained way, but that's another argument.)

  • Operating systems should not have any super user (root) account at all.

    Why?
    Those super priviledges are an anachronism which doesn't fit the world. Most of us live in a democratic society. Democracy has historical won over the hierarchical societies - for a reason. Now if we want to model the real world, we are orced to map it to a kingdom like world. If there was no super user to hack a lot of vulnerabilities where gone.

    But we need administration! Yes, we need even more fine grained access control, but no entral authority. We need to grant and revoke rights and subrights among each other.

    How? The Paper Askemos - a virtual settlement [askemos.org] describes (among other aspects of Askemos) a set theory based priviledge system which handles that. (You might also look at the slides from the most recent talk at the netobjectdays.org conference here [askemos.org]
    (there only temporary).

    • Well, you might be right.. This only works on big systems where you *can* distribute different privileges over different persons This won't work for the single IT guy that has to manage the network of a small bussiness.
      Also consider this: who decides whom should get granted what rights? Well, that person is automatically superuser, because he simply can give himself all the rights without telling anybody. The problem with a System Administrator is simply that it should be a "person of trust", if you don't trust him, you should get rid of him. It's that simple.

      I can only say: I like being a tyrant on my systems. But I'm a fair and good tyrant for I respect my users and don't go and meddle with their data.

      You can have my root account if you pry if from my cold dead hands.

    • An effective management system needs a heirarchy to direct and control it, "too many chefs spoil the soup".

      In Canada we choose representatives, who then as a group run the country without any real requirement for further consultation. For most people the democratic process ends after election day.

      Yes the ongoing stuff afterwards and the threat of not being elected, and protests are part of it too. But basically we choose our leaders, then they do what they want with little or no input from us.
  • by Anonymous Coward on Friday October 18, 2002 @06:38AM (#4477339)
    Security in UNIX can be messy. It is hard to add security late in the prosses without making it hard to use and understand.
    EROS (GPL) was designed for fine tuned privileges from day one. This is a natural part of the capability system.

    "EROS is a pure capability system. Authority in the system is conveyed exclusivly by secure capabilities, down to the granularity of individual pages."

    This is a secure design and a OpenSource OS.
    http://www.eros-os.org/
  • by Anonymous Coward
    I just wonder, why so complicated ? Mandatory Access Controls, Priviledge Elevation ... some administrative nightmare. Probably more security holes by misconfiguration that bad code. Think sendmail.
    Why do certain applications need to have root priviledges at all ?

    Wouldn't it be more wise, to allow certain users to actually perform certain tasks. Fighting the cause but the symptom.
    Like, defining e.g. via sysctl that user "named" is allowed to bind to port 52 on IP 1.2.3.4.
    (You could still use capabilities to disallow sysctl.conf when in multiusermode)

    That would be, only user "named" could bind, not even root to that ip/port.
    So instead of "lifting" a binary to temporary root priviliedges with some black magic to allow some syscalls, why not telling the kernel that this user may do this and this ...

    The difference is, you need no whatsoever "root faking". Don't let an application ever become root or needing rootpriviledges (when configured), no matter for how little time it may be.
    Instead, be able to grant privileges to users at lowest level, insteat of cheating on the higher ones.
  • by paulcammish ( 542971 ) on Friday October 18, 2002 @07:44AM (#4477546)
    ... so... it can now stay up after 9pm and watch movies, or something? (its funny, laugh)
  • i've experimented doing similar things (getting rid of setuid components) on a linux system. the result is my kchuid [nimh.org] system.

    But, not to be completely OT: It does seem that only the OpenBSD people are interested (people emailing me regarding it all seem to be primarily OpenBSD users)...

  • So...does this bring us one step closer to capabilities [skyhunter.com]?

    The Java VM security architecture has long been based on policy-based security. SUID and SGID are, IMO, dirty hacks and not proper security.

    The question is, where will this "policy" live. It could simply live in some configuration file mapping executables to privs. OR it could live in a capabilities database as attributes of the user (really you want to bind these to users, not executables).

    Being able to explicitly proscribe and enumerate the capabilities of a certain user would be a great step forward for security. And the people who really care are not the ones that are going to mind whatever potential performance hit there will be (AFAIK, just making a system call itself will probably be an order of magnitude larger than any security check involved).
  • by Quixote ( 154172 ) on Friday October 18, 2002 @08:05AM (#4477670) Homepage Journal
    Let me try my hand at a simpler explanation. This is grossly simplified, but hopefully will make things a bit clearer.

    Think of this as "sudo" for the processes. Before "sudo", if you wanted a user to do super-user stuff on a *nix box, you had to give her the root passwd. Even if all she had to do in as part of her job was to run one command, she basically got full privs with a 'su'. She was expected to be responsible and not enter any other commands. With sudo, you have fine-grained control over who runs what as the super-user, and don't need to give out the root pw anymore.

    This (privilege elevation) is similar in that sense. With a setuid program, you are _hoping_ that the author was careful to drop privs once the need was over. However, if the author made a mistake in coding and forgot, you don't know what all it would do. This allows the system more control by just allowing certain specific syscalls, not the whole gamut.

  • by Peaker ( 72084 ) <gnupeaker.yahoo@com> on Friday October 18, 2002 @08:22AM (#4477762) Homepage
    Will never make it as close to the principle of least privelege as capability systems such as EROS [eros-os.org], or KeyKOS. (And no, by "capabilities" I mean EROS-like capabilities, not the POSIX re-definition of the word "capability").

    True security will never be achieved in the *nix way (Complicated ACL's attached to every 'command' or 'system call'), due to problems such as The confused deputy [upenn.edu].

    True security can only be achieved when there is complete identity between what requests a process can express, and what the process is authorized - only possible without a global namespace such as the set of system calls or the file system. Only capability systems are of this nature.

    OpenBSD may be secure in the sense that it has few bugs, where almost every bug in the every-growing code base regarding *nix security is a security hole, but its not secure in the sense that truly secure systems such as EROS are secure - by having (to sum it up):

    A small, finite, debugged code base that deals with security - and no extra security code.

    Simple security paradigm with a single simple-logic security test per request.

    Identity between what a process can request, and what the process is authorized to do.

    Fine-grained access control, with each process having capabilities to the exact objects it needs to access.

    Mathematically-found model, that has mathematically [eros-os.org] provable [eros-os.org] properties.

    The principle of least privelege (Your mp3 player cannot delete your files, your email client cannot listen on any port, etc).

    Flexible security: The complicated authorization graph is between processes, and not between users and objects. The concept of "user" is not part of the operating system. This is also achievable because capability systems often have orthogonal persistence, that is transparent persistence (sort of like Hibernation Mode, in its functionality), which tends to be of much better disk performance.

    No global namespace: There is no global namespace file system that all applications have access to. Perhaps a database of objects for the user's convinence that points via capabilities to the user's objects which are then passed on selectively. But there is no global file namespace that processes can access. All requests by processes must be carried out by activating a capability, whose mere existence authorizes the request. This instead of activating a system call from a global namespace of system calls, allowing any process to request almost anything, hoping that the security code regarding that request will properly deny that request. The global namespace allows extra communication and exploitation between processes that needn't be possible.

    • by scrytch ( 9198 ) <chuck@myrealbox.com> on Friday October 18, 2002 @11:09AM (#4479134)
      But really, it needs to get out of the ivory tower and start giving us examples that work. The Confused Deputy is about compilation, sounds like it was an issue from a VAX box from the 80's, and not only is so utterly irrelevant to Joe User, it's not even all that terribly accessable a metaphor to people using gcc!

      The erights folks are using more accessable examples (a web browser), but in their examples paint a picture of the land of popup hell, where every app has to ask to do every single operation. Write to one file, one popup. Write to another file, another popup. Open your address book, another popup. Experience shows that users click "yes" or "ok" on popup dialogs or whatever button they can just to make the damn things go away and make them stop coming back. My own mother would ask me, "how do I keep this from asking me these questions all the time?".

      I know it doesn't have to work this way -- an installer can give an app a pre-set list of capabilities that one should be able to verify, log, change, audit, revoke, etc. Roles can be created out of capability groups to put some of the ease of ACL's back into the equation. But their their own example stories don't even make that clear. It's ivory tower, all about security theory without an ounce of human factors other than "the user will learn" and some laughable user education story about POLA.

      The average server is reasonably secure right now, since it performs dedicated tasks and is administered by what one presumes are trusted people. It's the desktop that's providing fertile ground for attacks. Thousands of infected desktops hitting one server, and well, wouldn't it be nice if those desktops were secure? They won't be if security doesn't take the human factor into account.

Our business in life is not to succeed but to continue to fail in high spirits. -- Robert Louis Stevenson

Working...