The upcoming death of setuid/setgid on Linux

[rbranco]

Enabling no_new_privs/NoNewPrivs, disabling setuid on Linux

Setuid binaries are not dangerous in themselves, but can lead to a security nightmare if they have vulnerabilities. The no_new_privs flag from the kernel effectively disables setuid binaries. This article explains how a Linux system with no_new_privs enabled by default can work.

www.thkukuk.de

I wonder if we could achieve the same with mac_do(4). I haven't yet played with it.

Credentials Transitions with mdo(1) and mac_do(4) | FreeBSD Foundation

Credentials Transitions with mdo(1) and mac_do(4) Credentials Transitions with mdo(1) and mac_do(4) By Olivier Certner In this article, we explore how the mdo(1) program can be used to easily and quickly launch a new process with different credentials and how system administrators can enable...

freebsdfoundation.org

 

[Hiroo Ono]

Solaris introduced RBAC, role, profile and pfexec, but revived sudo in Solaris 11. Maybe it was too complicated for administrators to properly configure them. I find few people complain about SELinux these days compared to when it was introduced (there were days what we were taught to do when we install Linux was to disable SELinux).

I find mac_ntpd() and mac_priority() good and way to go. So mac_do is basically good I think, but it should not be so complicated so that people will swallow it. And even if it is simple enough, there will be people complaining "why we need to use it, can't it be sudo or doas?".

 

[unitrunker]

I don't think the base install has any suid binaries.

find / -perm 4000 -print

I was expecting a kernel sysctl but there is a mount option (nosuid) to disable both suid and guid for the mounted file system.

Edit: for zfs there is the setuid property (on/off).

 

[rbranco]

I don't think the base install has any suid binaries.

find / -perm 4000 -print

I was expecting a kernel sysctl but there is a mount option (nosuid) to disable both suid and guid for the mounted file system.

Edit: for zfs there is the setuid property (on/off).

Try with

find / -type f -perm /06000 -exec ls -l {} +

 

[unitrunker]

Yuck. I count 83 files on one system.

 

[kpedersen]

The upcoming death of setuid/setgid on Linux

Interesting. Are they going to change sudo to call into something like systemd and get that to execute the command under a priviliged context? Seems kinda messy.

Edit: Yes it seems. runorun0 from systemd.

 

[Crivens]

Edit: Yes it seems. runo from systemd.

Yes, and there is "small", "auditable" and such things in the same sentence.

 

[kpedersen]

Yes, and there is "small", "auditable" and such things in the same sentence.

Indeed. They can attempt to reassure themselves if they want.

And here I was thinking that Linux + Busybox could still be used as a 'sane' choice for pseudo-embedded usecases. But if all the BSP kernels are inevitably built with setuid stripped out one day (rather than flag set in pid1) then its effectively broken for correct userlands. Linux is completely unfit for any purpose.

 

[covacat]

there are about 20 binaries in the base system suid root and executable by everybody
they are 4 big categs + others

print lpq lprm
networking ping, traceroute
passwd related passwd, chpass, login, su
cron/at related crontab atq, atrm, batch....

find /bin/ /sbin/ /libexec/ /usr/bin/ /usr/sbin/ /usr/libexec/ /usr/local/bin /usr/local/sbin/ -type f -perm -4555 -user root
most of them can be easily restricted to a trusted group of local users

 

[fmc000]

Edit: Yes it seems. runo from systemd.

Nitpick: I believe it's run0 not runo.

 

[kpedersen]

Nitpick: I believe it's run0 not runo.

Good spot (in the first paragraph the article is using a font that doesn't render 0 correctly for me. The paragraph under looks fine?).

 

[mer]

Well to me, "why" is an important question. As covacat points out ping and passwd are setuid.
So Why?
To me passwd is obvious, a user needs the ability to update their own password, but that means they need the ability to modify system level files.
Ping? I'm guessing the why is because the way packets are processed on the interfaces.

Now could this be done another way? Maybe, not sure, but I would ask at what level of complexity.

I think the passwd command is a good example. If not setuid, how would you let a user change their own password? I think also quickly flows into chsh, setting limits.

 

[covacat]

ping and traceroute are setuid because of raw sockets
all of the above can use a service running as root or some kernel interface instead of setuid

 

[atax1a]

back in the day there was this quip going around saying that bsd users like unix, whereas linux users don't care about unix and just hate microsoft, because of ini files, the registry, and incomprehensible event viewers and service management. smash forward to 2020 (6) and now linux users are going around configuring their system with .ini files, dealing with totally-not-the-registry-gconf, and putting their logs into an incomprehensible event viewer with incomprehensible service management. anyway.

 

[bakul]

FreeBSD has capsicum(4) so in theory you can implement all this without setuid/setgid.

 

[hedwards]

back in the day there was this quip going around saying that bsd users like unix, whereas linux users don't care about unix and just hate microsoft, because of ini files, the registry, and incomprehensible event viewers and service management. smash forward to 2020 (6) and now linux users are going around configuring their system with .ini files, dealing with totally-not-the-registry-gconf, and putting their logs into an incomprehensible event viewer with incomprehensible service management. anyway.

I've just recently come back to FreeBSD after a period away and I had forgotten just how good core has been on the whole. I logged in and after a few years of modern Windows and Linux, I had forgotten what it's like to use an OS where there are adults in charge. Where things aren't being pushed on the users solely because one corporation or another wants to sell more certification courses and employ more consultants, or in the case of MS is probably selling data to the FBI with that whole recall thing.

Don't get me wrong, modern Linux on the whole has gotten pretty good, but I don't get why I need a half dozen different app installation utilities or to switch distros because Wayland isn't meeting my personal needs. And from what I can tell, the devs flat out won't ever be patching the issues related to multi-monitor systems even if other people provide the patches.

All this does kind of make me wonder if they're doing this particular change carefully or if it's another premature move like Wayland, Ext4, Unity and various other bits that were included before they were ripe and just wound up being fodder for people looking for excuses to flame the related projects and really making opensource OSes in general look worse and harder than they are

Anyways, there's a certain degree of irony that Linux devs seem to have lost their dislike of Embrace, Extend, Extinguish that was a major issue hindering uptake of anything other than Windows back in the '90s.