OpenBSD Gains Privilege Elevation

ocipio writes "OpenBSD's systrace now has privilege elevation support. This means binaries no longer need to be suid or sgid an longer. Applications can be executed completely unprivileged. Systrace raises the privileges for a single system call depending on the configured policy."

that's 3 things

...and isn't being able to run binaries unpriviledged a security hole, or am I just not getting it?

Yes

Article is over most /.er's heads

This article is clearly over most slashdot readers' heads. 50% of the comments are asking what this means, and the other 45% are asking if this is a security flaw. Figures. With KDE and RedHat, you no longer have to be smart to run UNIX. tisk tisk, what a shame.

Re:Article is over most /.er's heads

[dmanny]

I believe the comment to which you replied is fairly well on target but it is not very polite. The development is a significant benefit but I agree with you that everyone who uses a machine for the desktop does not need to be understand this subject. There are almost always many, many things that individual users do not understand about the complex systems they use. That doesn't mean that significant discusion between those that are interested in a particular area is without value.

What the original commenter was correct in bemoaning is that the quality of the discussion here on /. is degraded by the number of coments that give evidence to the fact that their authors are not familiar with the general subject matter and have not taken the time to do basic orientation before emitting. These comments add a much value to the forum as the endless Beowulf cluster chatter and the first post idiocy.

Go OpenBSD!

[snorggle]

Of course, I am biased as I run this fun little operating system on a produciton machine. 20 days away from one year uptime *ahem*. Ok, maybe that's not that great but it works well for me.

I am glad to see that the team has forged ahead and taken a step that UNIX style operating systems have needed for quite some time. This is a wonderful step in the evoluction of security that ALL of *BSD/Linux/etc. should implement without delay. At least from an administrator's perspective, I think this should be the norm.

For those that are unfamiliar with OpenBSD, it is a derivative of BSD that focuses its efforts onto creating a secure system without bells and whistles.

As always this is my opinion..

Re:Go OpenBSD!

[lbruno]

I run this fun little operating system on a produciton machine. 20 days away from one year uptime

PLEASE UPDATE YOUR SYSTEM, DAMMIT!

You answer your own question...

[Carnage4Life]

how is this better than setuid, setgid? At least with setuid and setgid, control over system privileges is given on a per-application basis.

Which do you think is more secure? Given a choice between having an application run as root [with all the attendant problems that this entails especially if a security problem is found in the app] versus giving the application minimal privileges [specifically all it needs to get the job done and nothing more], how could anyone think the setuid and setgid approach is better.

The difference between both approaches is the difference between a sledge hammer and a surgeon's scalpel. In fact the only downside to the minimal privileges approach, is performance and efficiency. In this day and age where one can buy half a gig of memory for around $100 and 3.0 GHz processors are on the horizon it really is time for us to adopt techniques for building secure software that have been known for decades but unimplemented due to performance/efficiency concerns.

Re:You answer your own question...

[RAMMS+EIN]

``With the posix compliant call to setuid, an application can be setuid root only for as long as it needs to access privileged resources and can drop those privileges once it no longer needs to be root.''
This means that the application is allowed to execute any code as root, as long as it does setuid(0) first. Easy enough to sneak some malicious code in...

``If the kernel will grant this request by checking a list of applications that is allowed to do this, then how is this different from a kernel checking if an application is owned by root?''
It's _very_ different. What this new system does is selectively allowing _some_ system calls that have traditionally required root priviliges to be executed by less priviliged users. For example, a webserver is allowed to bind to port 80, and X is allowed access to graphics hardware (note that svgalib has an IMHO elegant solution for this using kernel modules). Neither the webserver nor X need root access to the filesystem, so they aren't granted this under the new scheme. With setuid, there is no choice - granting access to ports 1023 requires root privileges, which can also be used to read and modify any file on the system.

setuid is flawed and needed revision. If OpenBSD gets it right remains to be seen, but it's good they're trying. And since the OpenBSD dev team and its users consists in large part of hard-core security freaks, I have faitht that this is going to be a win. Congratulations on yet another great innovation from the OpenBSD folks!

---
After months of research, they found the solution. Typewriters. They are intuitive to use, free of security issues, not hampered by unstable software, and you never have to wait for the printing queue again.

Re:Why is this a good thing?

[coene]

Normal unix daemons (apache, bind, whatever) are started as root, and DOWNGRADE their permissions when they can.

This systems lets them start unpriviledged (not running as root) and the kernel will upgrade the permissions on a strict need-to-have basis.

Why give a mile when you only need an inch? That leaves a whole lot of room for error... This eliminates that problem.

Once again, OpenBSD takes the next step towards a more secure UNIX. Only they have the bravery to touch code thats 2 decades old, modernize it with well thought-out changes, and stand behind it. Not to mention that this is code that if screwed up, could reak havok. If anyone is qualified todo these things, the OpenBSD team is.

WOohoo!

Re:Serious!

[AresTheImpaler]

(Score:0, Funny)

hehe, I love slashdot.....

false sense of security

[g4dget]

UNIX has evolved for nearly 30 years around the idea that processes either have root privileges or they have user privileges. It's a sound and simple system. If, against that background, you add support for giving processes individual privileges, you risk doing more harm than good. Existing programs will assume that if a process demonstrates one privilege that traditionally only a root process posesses, then it must also have all the others. So, if you give a process specific privileges, you risk that it can acquire more because other processes will give it more trust than it deserves.

In fact, even for OSes that start out with lots of different privileges, it's far from clear that it helps--programmers seem to have trouble understanding all the implications of all the different bits. For example, VMS, with its much-vaunted mess of security bits, ended up succumbing to a domino effect: you get one bit, then using that, the next one, then one more, until you can do whatever you want. The trouble is that when you tell a programmer that his code runs with "restore from backup privilege" (an example from a privilege happy OS of yore), they assume that's all they get and don't even consider all the other weird implications that that privilege may have. And who can blame them? Who can keep all the weird effects and interactions of dozens of different privileges in their head?

The simple UNIX privilege system is good: when programmers write code that runs as root, they know exactly what that code can do: everything. And they try to take appropriate care.

Re:false sense of security

[perry]

Your comment is rather vague. Let me be more specific.

Lets say that you have an smtp daemon. With systrace, I can very easily elevate it to be able to open port 25 on the system, and restrict it so that it can't fork or exec any programs and can do no i/o other than writing to files in /var/mail.

Sure, you can theorize about how evil and complicated this is, but the truth is in one fell swoop I've made it fiendishly difficult to exploit the smtp daemon -- and in most cases I don't even need to have the daemon be the least bit aware of how systrace works. Once I've done this, I can't make the smtp daemon fork a /bin/sh for me, I can't make it write to random files on the system, indeed, I can barely write a remote exploit for it at all. Add in a little chroot and other magic and suddenly you have a very hardened program.

Most of your comment seems to consist of platitudes about simplicity, not any actual experience with using systrace in a practical system. It very much adds security to the way systems run, and it is completely in the spirit of most modern security aware code, like the Postfix mailer or privilege seperated ssh.

Re:Question -- what if Apache code changes?

Adding layers of easy to by-pass security is never a solution. Even if the crc and the program that checks crc is on read-only media, the system can still be fooled. The only solution is to put all of the binaries on read-only, but then there is no need to have the crc check.

Re:Only system calls?

[BlueUnderwear]

<sarcasm>
Or, we could make processors with more levels of priviliges. Ah, hell, put the string functions in the chip. Screw that, let's put the kernel in a chip.
</sarcasm>

Don't laught: the common Intel processor does indeed have four levels of privilege (even though most OS actually only use two of them...). And yes, it does have special opcodes for strings (REP MOVB) too. Only thing that is still missing seems to be the kernel integrated on a chip... Ah, the beauty of CISC.

Re:Why is this a good thing?

[Random+Walk]

The kernel can easily know whether you are the apache program or not, however, because it knows the inode backing your executable -- there is no way to forge that.

like that (overwriting will not change the inode) ?:
cp apache apache.tmp
cat rogue_executable > apache

Re:Why is this a good thing?

And what privileges do you need to overwrite the apache daemon on your boxes?
I know it's root on mine.

This system won't protect you from someone who has root, but it will help prevent it from happening.

Consider the sendmail daemon...
It needs to bind to port 25, and write to people's mailboxes. What if you can restrict it to just those functions?
It makes it much more unlikely that sendmail could be used for nefarious purposes.
And with a modern sendmail, you only need root for the daemon to bind to port 25. If that's all it can do I;d love to see someone get root from there.

This is indeed a HUGE step forward...

Re:Sounds like a (very) good thing

Java's one of the few programming languages that has security built in from the ground up.Wich makes me really wonder why the .NET runtime environment doesn`t do the same thing?
That`s something I would love microsoft
to "inovate", if outlook and internet explorer would only accept .NET attachments/client side code then these things would no longer be able to mess up the system.

Likely they would not even be able to send mail to addresbook members like they could if you solved the outlook problem the "traditional" unix way ("runas" oulook as a low priv user).

Democratic/Autocratic rule

[nuggz]

An effective management system needs a heirarchy to direct and control it, "too many chefs spoil the soup".

In Canada we choose representatives, who then as a group run the country without any real requirement for further consultation. For most people the democratic process ends after election day.

Yes the ongoing stuff afterwards and the threat of not being elected, and protests are part of it too. But basically we choose our leaders, then they do what they want with little or no input from us.

Further complicating the *nix security system

[Peaker]

Will never make it as close to the principle of least privelege as capability systems such as EROS, or KeyKOS. (And no, by "capabilities" I mean EROS-like capabilities, not the POSIX re-definition of the word "capability").

True security will never be achieved in the *nix way (Complicated ACL's attached to every 'command' or 'system call'), due to problems such as The confused deputy.

True security can only be achieved when there is complete identity between what requests a process can express, and what the process is authorized - only possible without a global namespace such as the set of system calls or the file system. Only capability systems are of this nature.

OpenBSD may be secure in the sense that it has few bugs, where almost every bug in the every-growing code base regarding *nix security is a security hole, but its not secure in the sense that truly secure systems such as EROS are secure - by having (to sum it up):

A small, finite, debugged code base that deals with security - and no extra security code.

Simple security paradigm with a single simple-logic security test per request.

Identity between what a process can request, and what the process is authorized to do.

Fine-grained access control, with each process having capabilities to the exact objects it needs to access.

Mathematically-found model, that has mathematically provable properties.

The principle of least privelege (Your mp3 player cannot delete your files, your email client cannot listen on any port, etc).

Flexible security: The complicated authorization graph is between processes, and not between users and objects. The concept of "user" is not part of the operating system. This is also achievable because capability systems often have orthogonal persistence, that is transparent persistence (sort of like Hibernation Mode, in its functionality), which tends to be of much better disk performance.

No global namespace: There is no global namespace file system that all applications have access to. Perhaps a database of objects for the user's convinence that points via capabilities to the user's objects which are then passed on selectively. But there is no global file namespace that processes can access. All requests by processes must be carried out by activating a capability, whose mere existence authorizes the request. This instead of activating a system call from a global namespace of system calls, allowing any process to request almost anything, hoping that the security code regarding that request will properly deny that request. The global namespace allows extra communication and exploitation between processes that needn't be possible.

Re:Only system calls?

[scrytch]

I'm not very knowledgable on *nix security, so please help me out here. Why could you not simply do this trick to any program? IE: make a fake libc.so that erases all the files on the hard drive on a call to fopen(), and then run a program that has suid root?

root or setuid root generally ignores LD_PRELOAD as a rule on most unixen. Made it hell for Sun on their initial rollout of Sunrays, which used an LD_PRELOAD hack on yes, libc.

The Windows NT security model is far, FAR superior to anything Unix has. The design of the thing is fabulous. The problem is, it's hardly ever used, it's been made practically or totally impossible to use by an admin by using the interface, and of course, there's the bugs, bugs, bugs...

Re:Sorry but MacOSX is based on Mach kernel and so

At least in the case of MacOS X, it's not Mach. It's a stripped down version of Mach with a BSD personality. And only that personality. It incorporates a large amount of BSD's kernel and userland.

It's as BSD as NetBSD/OpenBSD/FreeBSD are. It's BSD.

Windows, on the other hand, would be Windows with a BSD compatibility layer.

To quote Apple on the subject:
"The stability of Mac OS X begins with Darwin, an Open Source, UNIX-based foundation. Darwin is a complete BSD UNIX implementation, derived from the original 4.4BSD-Lite2 Open Source distribution. Darwin uses a monolithic kernel based on FreeBSD 4.4 and the OSF/mk Mach 3, combining BSD's POSIX support with the fine-grained multithreading and real-time performance of Mach."

Now, repeat after me: "BSD is an operating system, not a kernel."