| 1 |
Joerg Schilling schrieb am 26.04.2013 20:31: |
| 2 |
> Daniel Pielmeier <billie@g.o> wrote: |
| 3 |
> |
| 4 |
>> Actually it is the linkage against libcap what I am concerned of. |
| 5 |
> |
| 6 |
> This is what I call a security risk with the current concepts of some linux |
| 7 |
> systems. See Announcement file for more.... |
| 8 |
> |
| 9 |
>> Imagine the following scenario. Libcap is not present on the system. |
| 10 |
>> Then package X which requires libcap is installed and the package |
| 11 |
>> manager who knows this installs libcap as a dependency. Then package Y |
| 12 |
>> is installed which unconditionally links against libcap. The package |
| 13 |
>> manager is unaware of this and does not know about the dependency. Now |
| 14 |
>> package X is uninstalled and the package manager removes libcap because |
| 15 |
>> he thinks nothing on the system needs it anymore. Now package Y will |
| 16 |
>> stop working because libcap is not there anymore. If it is possible to |
| 17 |
>> conditionally link against libcap such issues could be avoided. Libcap |
| 18 |
>> will not be uninstalled if the dependency is known. Additionally it is |
| 19 |
>> possible to have libcap installed and not link cdrtools against it. |
| 20 |
> |
| 21 |
> On Solaris, you cannot remove files that are part of the basic kernel features. |
| 22 |
> |
| 23 |
> Privileges on Solaris are a basic kernel feature and part of the basic |
| 24 |
> security concept, so you cannot remove this.... on most Linux distros, it seems |
| 25 |
> that you can. |
| 26 |
> |
| 27 |
> I am concerned about a different scenario: |
| 28 |
> |
| 29 |
> Imagine, you compile cdrtools without libcap and later install the support for |
| 30 |
> the OS. Now you decide to use "setcap" to make cdrecord work. Cdrecord will |
| 31 |
> really work this way, but you opened a security hole as this cdrecord now is |
| 32 |
> not privileges aware and thus cannot even detect that it is running with more |
| 33 |
> than basic privileges. Such a cdrecord installation will happyly write any |
| 34 |
> local file for any local user to CD. |
| 35 |
> |
| 36 |
> Jörg |
| 37 |
> |
| 38 |
|
| 39 |
If you add an option to make conditional linkage against libcap possible |
| 40 |
there are only two possible scenarios. cdrtools links against libcap and |
| 41 |
the capabilities are set or it doesn't link against libcap and cdrtools |
| 42 |
are installed suid root without capabilities. |
| 43 |
|
| 44 |
Everything is done in the ebuild and the user does not need to mess with |
| 45 |
setcap. It is controlled by the package manager and the linkage and |
| 46 |
capability setting are tied together at installation time. |
| 47 |
|
| 48 |
Just adding an option similar to the one for the ACLs would make my live |
| 49 |
a lot easier. Just enable it by default and make it possible to switch |
| 50 |
it off. |
| 51 |
|
| 52 |
-- |
| 53 |
Regards |
| 54 |
Daniel Pielmeier |
Archives