Meanwhile in OpenBSD land.

K

kpa

https://marc.info/?l=openbsd-announce&m=146854517406640&w=2

In addition to the patched bugs, several panics were discovered by NCC that
can be triggered by root or users with the usermount option set. These bugs
are not getting patched because we believe they are only the tip of the
iceberg. The mount system call exposes too much code to userland to be
considered secure.

As remediation, it's recommended to disable usermount. For the forthcoming 6.0
release, the usermount option will be removed.
Click to expand...

I have to give them credit for sticking to their own principles and practices. Removing usermount option would be highly controversial even here on FreeBSD and unthinkable on Linux.
 
kpa said:
I have to give them credit for sticking to their own principles and practices. Removing usermount option would be highly controversial even here on FreeBSD and unthinkable on Linux.
Click to expand...

There's also a potentially paradoxical element to this. Removing usermount to improve security could end up with the practical impact of making the systems involved less secure in the real world. When you remove / block something like that which people have a use for, they won't just shrug it off and live without it, they will re-introduce the bad suid-root insecurities which were made obsolete by usermount. Sure, the system as-shipped will be more secure, but the system as-deployed may be less secure in many cases.
 
Seems, however, that this problem is not strictly related to usermount, but to tmpfs:
http://www.openwall.com/lists/oss-security/2016/07/14/5
https://cxsecurity.com/issue/WLB-2016070125
and since even root is involved, IMHO would seem more logical to fix problems with tmpfs, than getting rid of usermount (even if it has its security problems).
Murph said:
There's also a potentially paradoxical element to this. Removing usermount to improve security could end up with the practical impact of making the systems involved less secure in the real world. When you remove / block something like that which people have a use for, they won't just shrug it off and live without it, they will re-introduce the bad suid-root insecurities which were made obsolete by usermount. Sure, the system as-shipped will be more secure, but the system as-deployed may be less secure in many cases.
Click to expand...
Agree. However, as an alternative sudo(8) (or doas, perhaps) can be used
to give unprivileged users selective mounting capabilities based on <FS type> AND <device> AND <mountpoint>. It's not very flexible, but it's doable at least.
 
Maxnix said:
Seems, however, that this problem is not strictly related to usermount, but to tmpfs:
http://www.openwall.com/lists/oss-security/2016/07/14/5
https://cxsecurity.com/issue/WLB-2016070125
and since even root is involved, IMHO would seem more logical to fix problems with tmpfs, than getting rid of usermount (even if it has its security problems).

Agree. However, as an alternative sudo(8) (or doas, perhaps) can be used
to give unprivileged users selective mounting capabilities based on <FS type> AND <device> AND <mountpoint>. It's not very flexible, but it's doable at least.
Click to expand...

What you linked proves that the problem can be triggered by use of tmpfs but OpenBSD's own assessment says that the problem is larger and very likely is not limited to just that filesystem:

These bugs
are not getting patched because we believe they are only the tip of the
iceberg. The mount system call exposes too much code to userland to be
considered secure.
Click to expand...
 
Maxnix said:
Agree. However, as an alternative sudo(8) (or doas, perhaps) can be used
to give unprivileged users selective mounting capabilities based on <FS type> AND <device> AND <mountpoint>. It's not very flexible, but it's doable at least.
Click to expand...

Indeed, yes, it doesn't actually force you into an insecure alternative. The problem comes for people who are too lazy or have difficulty in implementing a reasonable alternative. Hopefully the OpenBSD people will recognise that and include some reasonable examples of alternatives in their release notes and sudo/doas documentation.
 
Murph said:
Indeed, yes, it doesn't actually force you into an insecure alternative. The problem comes for people who are too lazy or have difficulty in implementing a reasonable alternative.
Click to expand...

Too true, but the weakest element in any artificial system is the human element. At least by eliminating a problem that is inherent in the system, the illusion of security is diminished. It's one thing if everyone is confidently using a convenience believed to be secure, but which in fact contains a previously unknown security flaw. It's another thing entirely if someone is deliberately circumventing security for the sake of convenience. Human error is the cause of the insecurity in each case, but in the latter the danger is more easily recognizable and you know whom to hold responsible.
 
kpa said:
What you linked proves that the problem can be triggered by use of tmpfs but OpenBSD's own assessment says that the problem is larger and very likely is not limited to just that filesystem:
Click to expand...
Sorry, I misunderstood the first post :oops:. Thank you for clarifying it. :)
 
Maxnix said:
Sorry, I misunderstood the first post :oops:. Thank you for clarifying it. :)
Click to expand...

I see you use a variant of the OpenBSD mascot as your avatar. I hadn't been out to the OpenBSD.org site in quite a while. Is it sleep deprivation due to working on Libressl? Their mascot is starting to look like an old man!
 
ronaldlees said:
I see you use a variant of the OpenBSD mascot as your avatar.
Click to expand...
Yup. I like Puffy. :) My main OS is FreeBSD; however, I like OpenBSD and have great respect and admiration for the project, and its ideals and goals too. :)

ronaldlees said:
I hadn't been out to the OpenBSD.org site in quite a while. Is it sleep deprivation due to working on Libressl? Their mascot is starting to look like an old man!
Click to expand...
Well, I don' know if Puffy himself is contributing to Libressl. Pheraps his friend! :p The "sleep deprived" Puffy you are referring to is the great Dr. W^X (inspired by Dr. Who, obviously* ;)). :D
My avatar instead is taken from the cover of Absolute OpenBSD 2nd Edition**. :)

*Seriously, no one can say they lack of fantasy for their artworks! :D
**There, he seems so sweet and nice!... At least, until you notice the skulls next to him! :eek: :D
 
No, really, the mascot has quadruple sags under his eyelids. I'll bet he's using a cane (but it ain't showing). Cold all the time - can tell by the scarf. Not a good sign.
 
ronaldlees said:
No, really, the mascot has quadruple sags under his eyelids. I'll bet he's using a cane (but it ain't showing). Cold all the time - can tell by the scarf. Not a good sign.
Click to expand...
Naah, that is just a variant. :) Probably we'll see the good old Puffy in all his splendor with the next release! ;)
 
ronaldlees said:
No, really, the mascot has quadruple sags under his eyelids. I'll bet he's using a cane (but it ain't showing). Cold all the time - can tell by the scarf. Not a good sign.
Click to expand...

I believe those lines are probably Tom Baker's, rather than Puffy's. If you look at photos of him over the years, his face became progressively craggy from approx. 1980 onwards (his tenure ended in 1981).
 
Maxnix said:
Naah, that is just a variant. :) Probably we'll see the good old Puffy in all his splendor with the next release! ;)
Click to expand...
Exactly, let's not forget that Doctor W^X can regenerate like all good 64-bit time lords. I hear this happens every 6 months.
 
RichardET said:
I like simple ease of use;
Click to expand...

So does the stranger breaking into your system. In any case, there's not much practical difference between allowing a regular user to manually mount a disk without a password, and configuring devd(8) to automatically mount that disk when it's attached. The latter is what people tend to expect from a desktop system, and can be configured on a per-user basis.
 
You must log in or register to reply here.
Back
Top