Revision as of 13:05, 28 October 2010

Remove SETUid

Summary

File Capabilties have been present in the Operating System for a few releases now, it is time that we remove setuid applications and just assign the capapilities required by an application. This should make the applications and the Operating System more secure.

Owner

Name: Daniel Walsh

Email: <dwalsh@redhat.com>

Current status

Targeted release: Fedora 15
Last updated: 2010-10-26
Percentage of completion: 20%
Tracker Bug https://bugzilla.redhat.com/show_bug.cgi?id=646440 added

Detailed Description

We need to change the spec files of most applications that include a setuid application to remove the setuid flag and change to file capabilities.

Package maintainers after making this change have to verify that their applications still work without the setuid app. In some cases this might not be possible.

Cases where you are and admin becoming root, su, sudo, ksu, userhelper will not be able to change. But I think all package maintainers should take a look at their setuid apps and see if they can do a better, more secure job using file capabilities.

Steve Grubb is a great source of information on handling capabilities.

If your setuid app is covered by SELinux policy we know in the rules which capabilities are used in the application, so you can work with the SELinux team to get the list.

One example newrole needs to send audit messages, (cap_audit_write) but when we coded it up originally it was setuid root which means it started as UID=0 and needed to execute the setuid(USERID) system call to change the UID back to the calling process, this caused newrole to require the cap_setuid capability. Then newrole dropped capabilities requiring the cap_setpcap capability. By changing to use file capabilities, I was able to give newrole just cap_audit_write and drop the code to change the setuid and drop capabilities, eliminating the need for these capabilities. Now I can write tighter SELinux policy on newrole and only allow cap_audit_write.

Here is the patch of what I changed in the spec file for policycoreutils.

http://people.fedoraproject.org/~dwalsh/policycoreutils_setuid.patch

Benefit to Fedora

This will benefit Fedora by making it more secure.

Scope

Open up a tracker bug, then open a bugzilla on every package that includes setuid applications. We would like to have the Fedora packaging committee codify this in rules and perhaps rpmlint to have smarts about identifying setuid apps and recommending file capabilities.

How To Test

Do a complete install of all Fedora packages and then search for any applications that have the setuid flag. If they do then the Feature is not complete. For any application that was setuid and now uses file capabilities, we need to test that the applications still works as it used to. Test rpmlint on an spec file containing a setuid app, and make sure it prints a proper warning.

User Experience

No change in User Experience should be expected.

Dependencies

We have a dependency that every package that contains a setuid app, is changed by the package owner. Although if we get some/most packages we feel that we have improved the security of the system.

Contingency Plan

None Necessary

Documentation

We should change documentation on packaging guidelines to talk about using file capabilities.

Release Notes

proposed draft: Fedora 14 removes setuid applications and instead specifically assigns the capabilities required by an application.

Comments and Discussion

See Talk:Features/RemoveSETUID

@@ Line 25: / Line 25: @@
 Cases where you are and admin becoming root, su, sudo, ksu, userhelper will not be able to change.  But I think all package maintainers should take a look at their setuid apps and see if they can do a better, more secure job using file capabilities.
-One example, I was able to remove most privs from newrole, now its only capability is the ability to send audit messages.
+Steve Grubb is a great source of information on handling capabilities.
-Here is the patch of what I changed in the spec file for policycoreutils.
+If your setuid app is covered by SELinux policy we know in the rules which capabilities are used in the application, so you can work with the SELinux team to get the list.
+One example newrole needs to send audit messages, (cap_audit_write) but when we coded it up originally it was setuid root which means it started as UID=0 and needed to execute the setuid(USERID) system call to change the UID back to the calling process, this caused newrole to require the cap_setuid capability.  Then newrole dropped capabilities requiring the cap_setpcap capability.  By changing to use file capabilities, I was able to give newrole just cap_audit_write and drop the
-diff --git a/policycoreutils.spec b/policycoreutils.spec
+code to change the setuid and drop capabilities, eliminating the need for these capabilities.  Now I can write tighter SELinux policy on newrole and only allow cap_audit_write.
-index 5e55584..780c8ee 100644
---- a/policycoreutils.spec
-+++ b/policycoreutils.spec
-@@ -192,7 +192,7 @@ or level of a logged in user.
- %files newrole
- %defattr(-,root,root)
--%attr(4755,root,root) %{_bindir}/newrole
-+%attr(0755,root,root) %caps(cap_audit_write,cap_setuid) %{_bindir}/newrole
-  %{_mandir}/man1/newrole.1.gz
- %package gui
-@@ -238,7 +238,7 @@ rm -rf %{buildroot}
- /sbin/fixfiles
- /sbin/setfiles
- /sbin/load_policy
--%{_sbindir}/seunshare
-+%attr(0755,root,root) %caps(cap_setuid,cap_dac_override,cap_sys_admin,cap_sys_nice) %{_sbindir}/seunshare
-  %{_sbindir}/genhomedircon
- %{_sbindir}/load_policy
- %{_sbindir}/restorecond
+Here is the patch of what I changed in the spec file for policycoreutils.
+http://people.fedoraproject.org/~dwalsh/policycoreutils_setuid.patch
 == Benefit to Fedora ==

Search

Features/RemoveSETUID: Difference between revisions