| 1 |
On Fri, Jun 26, 2020 at 10:18 PM james <garftd@×××××××.net> wrote: |
| 2 |
> |
| 3 |
> On 6/26/20 4:40 PM, Rich Freeman wrote: |
| 4 |
> > Removing the group doesn't actually make things more secure, because |
| 5 |
> > processes can use a gid even if it doesn't exist in /etc/groups. |
| 6 |
> > Effectively any POSIX system has every uid/gid available even if there |
| 7 |
> > is no /etc/passwd at all. |
| 8 |
> |
| 9 |
> And that is coded into the parts of the kernel, we cannot eliminate? |
| 10 |
> Typical sploits? |
| 11 |
> |
| 12 |
> Curiously, a bit deeper explanation? |
| 13 |
|
| 14 |
So, ultimately a uid/gid is just a number, and a field in a couple of |
| 15 |
tables. Inodes have them, and processes have them. There might be |
| 16 |
other things that have them that I'm not thinking of, but those are |
| 17 |
probably the main two. |
| 18 |
|
| 19 |
If a process wants to send signals to another process the uids have to |
| 20 |
match, or it must have a capability to break this rule. If a process |
| 21 |
wants to read a file, the uid/gid/permissions/ACLs/etc must correspond |
| 22 |
appropriately. I'm sure there are a bunch of other system calls where |
| 23 |
uids/gids matter as well. |
| 24 |
|
| 25 |
The field that stores the IDs has a certain size, and thus any number |
| 26 |
within the expressible range is valid. You can't "get rid" of a UID |
| 27 |
any more than you can ban the number 13. However, since the logic is |
| 28 |
based on matching it really doesn't matter much - if you launch a |
| 29 |
process with a UID you intended to be "unused" it basically is |
| 30 |
completely isolated as far as the filesystem and other processes go |
| 31 |
since its UID doesn't match anything else (it could still touch world |
| 32 |
read/writeable files, but that is true if it ran under a UID you |
| 33 |
preferred that it use). |
| 34 |
|
| 35 |
The files /etc/passwd and /etc/group are used by various system |
| 36 |
programs to map these IDs to human-readable names, but they really |
| 37 |
aren't part of how the kernel works. Just about any command that can |
| 38 |
take a username can take a user ID, and if you want to really drive |
| 39 |
people crazy go ahead and try using numeric usernames (I believe the |
| 40 |
IDs take precedence in command lines). |
| 41 |
|
| 42 |
So, if you deleted /etc/{passwd,group,shadow} you could still have a |
| 43 |
"perfectly working" linux userspace, but commands like login wouldn't |
| 44 |
work as those use usernames and of course there would be no mapping to |
| 45 |
passwords. However init would still run as uid 0, and it could launch |
| 46 |
processes with other uids, and those processes would have regular |
| 47 |
filesystem behavior. It wouldn't be POSIX and various things might |
| 48 |
break, but you could have a name-less userspace just fine on linux. |
| 49 |
The kernel itself never looks at /etc/shadow and so on - it just sees |
| 50 |
numeric IDs. Android is an example of an OS that makes some |
| 51 |
substantial changes in userspace to how things like UIDs are |
| 52 |
traditionally used (that, and the OOM killer). |
| 53 |
|
| 54 |
Most things associated with users/groups in linux are conventions |
| 55 |
implemented in userspace. |
| 56 |
|
| 57 |
But, as I said, using more uids/gids in general means having more |
| 58 |
separation. In general it only increases security, with the caveat |
| 59 |
that it does potentially make auditing more complex. |
| 60 |
|
| 61 |
-- |
| 62 |
Rich |
Archives