suser security
Robert Watson
rwatson at FreeBSD.org
Thu Apr 12 04:38:39 GMT 2001
(I actually neglected to send this message to trustedbsd-discuss, so am
redirecting it there also.)
On Tue, 27 Mar 2001, Eivind Eklund wrote:
> > Last year I was working on changing the uid compares to 0 to suser() calls.
> > I lost direct internet access for a period of time so was unable to keep
> > current with the tree. Anyways, I have time and resources to work on it
> > again and saw that it was still on the list of things to do. I also found
> > my notes on what files needed patched, the other day when I was cleaning my
> > room up.
> >
> > So just let me know if it's still needed. Perhaps you can tell me what you
> > would like suser() to do? I remember you mentioned a logging facility I
> > believe. I could work on that part as well, since obviously the changing to
> > suser isn't much of a challenge.
>
> The point was that suser() takes a process argument, and logs which
> processes have used superuser capabilities (ie, have needed the call to
> suser()). This was relevant at the point the entry was added to the
> TODO list, but I'm not sure it is relevant now.
>
> Robert Watson <rwatson at FreeBSD.org> (Cc'ed) is working on adding ACLs
> and process capabilities to FreeBSD. This work touches the same areas,
> and I am not quite sure how it will interact. I think it might be
> better to coordinate this with him.
Jon,
Sorry for the delay in getting back to you -- things are, as always,
pretty busy around here and I've been slipping up on my e-mail. Eivind is
correct in pointing out that a number of pieces of work are on-going which
affect the suser/privilege-related code, including the implementation of
POSIX.1e Capabilities as part of the TrustedBSD Project. Currently Thomas
Moestl is working on that implementation, so I've CC'd this message to him
also. I've also CC'd the trustedbsd-discuss mailing list, since there's a
fair amount of architectural commentary here that others might be
interested in commenting on. Here are a few comments on the ideas
expressed in your and Eivind's messages:
1) There remain a number of places in the kernel where the credential
or process effective uid is directly compared with 0, rather than
making use of the suser() or suser_xxx() primitives. The reason for
this is interesting, and actually related to one of your other points.
Originally, suser() set the ASU process accounting flag when it was
invoked, in an attempt to account for use of superuser privilege.
However, the goal was that this flag only be set when privilege was
actually employed, not when it was tested, so rather than use suser()
in situations where it was tested but not necessarily employed,
manual tests were performed. Consider, for example, some of the
compound security checks performed in the UFS code: privilege can
be used to override some but not all of the checks (such as system
file flags under securelevel>0). Rather than call suser early in
the check and set ASU incorrectly, the caller would manually test.
Clearly, this is a problem, as it means that the security primitives
are not used, resulting in inconsistent implementations throughout
the kernel.
In the capability implementation, instances of suser() and suser_xxx()
are being replaced with the cap_check() call, which checks the
passed process or credential for specific POSIX.1e privileges; as
such, it is now necessary to replace the remaining direct uid checks
with calls to cap_check(), as suser() will no longer be used in most
situations. In my first implementation of the Capability code, I
broke out the setting of the ASU bit from the suser() call and
placed it in a seperate primitive, suser_used(p); this allowed calls
to be made to suser() without incorrectly setting the ASU bit. In
doing this, I discovered that the ASU bit was frequently misused
throughout the tree already, especially in the network code where often
a single invocation of suser() is made, and then the result cached for
later use deeper in the stack. On realizing this, I proposed an
alternative strategy: for the time being, we would disable the ASU
functionality, since it is infrequently (if at all) used, and was
incorrect in many situations anyway. In the second capability
implementation, currently being worked on by Thomas, it is assumed that
ASU no longe needs to be maintained, substantially simplifying the
code (if you look in 5.0-CURRENT, you'll note that various
authorization calls are careful to return a "privileged used" result
via an optional call-by-reference privused pointer so that the caller
can then use suser_used(), which in turn introduces complexity).
I suspect that Thomas has caught most of the remaining uid calls,
but once he publishes the next version of the capability patch, we'd
welcome your work on it to catch remaining instances, and to comment
on correctness.
2) The second point that is raised in your and Eivind's e-mails is that
of introducing additional logging behavior in suser(). As I've
mentioned above, there are a number of substantial technical and
philosophical reasons why this might be a bad idea, especially relating
to seperating the checking of privilege and the actual use of
privilege to perform an operation during a compound access control
check. However, the fact that this particular approach may not be
the best one doesn't mean that the service is not leaded: one of the
(thus far under-visited) goals of the TrustedBSD project is to
provide some form of fine-grained event auditing; this audit log would
be more useful if it did allow the auditing of the use of privilege
(without capabilities, simply the necessary invocation of superuser
privileges, but with privileges, also an indication of which privileges
were required, if any, for the operation to succeed).
Andrew Reiter has been preparing an auditing subsystem requirements
document, as well as descriptions of implementations on other platforms
so that we can go through a more informed design process. Having
partially implemented auditing on FreeBSD twice in the past, I can
comment both on the complexity of correct implemetation, and the need
to be sensitive to issues of simplicity, maintainability, and
performance. Taking a fairly deep look into other implementations will
be important to developing an audit implementation that can be accepted
by the FreeBSD community. This is certainly an area where both your
contributions in the form of ideas and implementation would be most
welcome.
In any case, I'd greatly welcome your participation in improving the
security and correctness of FreeBSD, and invite you to join the TrustedBSD
mailing lists since TrustedBSD seems to be the current source of many of
the types of changes you're considering implementing.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list