Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

solardiz writes "Openwall GNU/*/Linux (or Owl for short) version 3.0 is out, marking 10 years of work on the project. Owl is a small, security-enhanced Linux distro for servers, appliances, and virtual appliances. Two curious properties of Owl 3.0: no SUID programs in the default install (yet the system is usable, including password changing); and logging of who sends messages to syslog (thus, a user can't have a log message appear to come, say, from the kernel or sshd). No other distro has these. Other highlights of Owl 3.0: single live+install+source CD, i686 or x86_64, integrated OpenVZ (host and/or guest), 'make iso' & 'make vztemplate' in the included build environment, ext4 by default, xz in tar/rpm/less, 'anti-Debian' key blacklisting in OpenSSH. A full install is under 400 MB, and it can rebuild itself from source."

Amazing Work

[metrix007]

While OpenWall won't see much adoption on it's own I do hope a lot of the work gets ported to other distributions so it is in common use.

Not trolling, but Linux Security is somewhat atrocious these days with the whole security via obscurity approach, so I for one have a better state of mind when I know I can protect myself even in the result of a succusful exploit.

Awesome.. No need for Fortress Linux then?

[petril]

This is pretty interesting, I just wonder what happens to Fortress Linux?

Rebuild itself?

[Jeremiah+Cornelius]

Can it do so with cross-compilation? I want this as an ARM distro...

Re:Rebuild itself?

[zn0k]

http://www.openwall.com/Owl/ARCHITECTURES.shtml
> Cross-builds are not supported: it is not possible to build packages for an architecture different than that of the build host, nor for a flavor of the architecture newer than that implemented in the build host's CPU.

No, it can't do cross-compiling. And ARM is not supported.

Anti-debian key?

[gandhi_2]

Can someone explain (for real) the point of the 'anti-Debian' key blacklist?

Is it because of the Debian-specific vulnerability in OpenSSH? I thought that was a couple years ago.

Re:Anti-debian key?

[wowbagger]

The exploit was years ago, but you never know when somebody generated a key under the broken system, and hasn't regenerated their key due to (missing the memo|laziness|stupidity) and is still using a weak key.

So, many distros block the bad keys to force people to clean up.

Re:Anti-debian key?

[Khopesh]

Can someone explain (for real) the point of the 'anti-Debian' key blacklist?

Is it because of the Debian-specific vulnerability in OpenSSH? I thought that was a couple years ago.

Yes. There are still lots of keys out there that were generated with this bug, so it is still worthwhile to test for that. When it comes to uber-secure projects like OWL and OpenBSD, this will likely never change; it's a trivial check for a nontrivial gain.

Re:Anti-debian key?

[characterZer0]

Debian itself blocks the bad keys.

Ah Sweet Nostalgia

[ADRA]

While I'm not terribly interested in the distribution itself, its great to see a classic Slashdot story about some major or point release of a semi-well known OSS product.

/bin/su isn't SUID?!

[Khopesh]

I'm not sure I believe that. The only way I can think of permitting things like su and passwd (among many others) is by running some sort of permissions escalation daemon ("owl-control" perhaps?) as root that essentially does the same thing. This moves the vulnerability from the binary to the permissions daemon.

There is almost no documentation on owl-control; the best I could find was a FreeBSD port and the (encoded) man page as plucked from CVS HEAD.

If this has been independently audited and continues to appear to be a Good Idea then perhaps it would be of interest to one of the larger distributions?

Re:/bin/su isn't SUID?!

[verbatim_verbose]

See Fedora's page for the same feature.

In short, there is a system now which gives programs certain capabilities based on tags set in the file system. With this, running as root is not needed for most things.

Re:/bin/su isn't SUID?!

[Bert64]

Well, setuid binaries were required to exploit the ptrace kernel vulnerability from a few years back, as well as the more recent vulnerability in glibc... An already running daemon which is running as root would not be vulnerable to either of these exploits.

On the other hand, i believe they use capabilities - that is rather than granting full root privileges ala setuid, you grant only the permissions a program needs... For instance listening daemons may only need root privileges to bind to ports below 1024, ping/traceroute only need to be able to open a raw socket etc.

Re:/bin/su isn't SUID?!

[Khopesh]

At least theoretically some type of access list "Program X is authorized to do Y" is more secure than "Program X needs root access".

I chose /bin/su because the "Y" that it needs to do is root access.

Dropping SUID doesn't improve security

[fandingo]

Here's one of the better criticisms of dropping SUID, and it's from an Openwall developer. These criticisms are echoed by almost everyone thinking about removing SUID.

There's a lot of talk lately regarding replacing the SUID bit on program
binaries in Linux distros with filesystem capabilities. Specifically,
Fedora and Ubuntu are heading in that direction.

Fedora:
http://fedoraproject.org/wiki/Features/RemoveSETUID
https://bugzilla.redhat.com/show_bug.cgi?id=646440

Ubuntu:
http://www.outflux.net/blog/archives/2010/02/09/easy-example-of-fscaps/
https://wiki.ubuntu.com/Security/FilesystemCapabilties

While in general this is a good idea, there are issues with it, in
arbitrary order:

- Some currently-SUID programs are aware of them being (potentially)
SUID, and will drop the "more privileged" euid when it is no longer
needed, but they will probably not be aware of them possessing
capabilities. This may result in larger parts of the programs
(sometimes orders of magnitude larger) running with elevated privileges
(or with allowed-to-be-elevated privileges, which is a privilege on its
own and is usable through vulnerabilities that allow for arbitrary code
execution). Let's consider ping, which appears to be the classical
example of "where filesystem capabilities will help" (or so it is
claimed). IIRC, it starts by acquiring a raw socket (NB: of a certain
somewhat-limited type), then drops root privs (if it was installed SUID
root and run by non-root), then proceeds to parse the command-line,
resolve the provided hostname, and so on. If the SUID bit is replaced
with cap_net_raw+ep, as seen in Kees' example above, will ping know to
drop this capability? Hardly. Not without a source code patch.
Besides, dropping the capability might [need to] require privileges
beyond CAP_NET_RAW itself (recall the capability-dropping attack on
sendmail from a decade ago). So does moving from SUID root to
cap_net_raw+ep improve security? Most likely not. On the contrary, it
results in hundreds of lines of ping's code and thousands of lines of
library code (DNS resolver) running with elevated privileges, as
compared to just a few lines of ping.c, which was the case with simple
SUID root. Granted, those "elevated privileges" are a lot less than
root privileges, but they're a lot more than having a single raw socket
of a specific type.

- In some cases, the capability sets being granted are (almost)
equivalent (or expandable to) full root powers. This is seen in:

http://people.fedoraproject.org/~dwalsh/policycoreutils_setuid.patch

-%attr(4755,root,root) %{_bindir}/newrole
+%attr(0755,root,root) %caps(cap_audit_write,cap_setuid) %{_bindir}/newrole

-%{_sbindir}/seunshare
+%attr(0755,root,root) %caps(cap_setuid,cap_dac_override,cap_sys_admin,cap_sys_nice) %{_sbindir}/seunshare

This mostly just sweeps the SUID root under the rug, where the sysadmin
will hopefully not see it and thus feel safer. However, it may expose
more problems in the programs if they knew to drop root, but wouldn't
know to drop the capabilities (same issue I described above for ping).

Granted, vulnerabilities of certain classes might become unexploitable
or be partially mitigated. For example, if no direct code execution is
possible (not a buffer overflow, etc.), but "only" privileged access to
an attacker-provided arbitrary pathname is possible, then "newrole"
above would be protected, but "seunshare" above would not (because of
cap_dac_override).

- Completely getting rid of SUID root pro

Re:Dropping SUID doesn't improve security

[solardiz]

> Here's one of the better criticisms of dropping SUID, and it's from an Openwall developer. These criticisms are echoed by almost everyone thinking about removing SUID.

I am glad that you liked my criticism of Fedora's approach, however it appears that you misunderstood me. I criticized their specific approach with fs capabilities, not the idea of getting rid of SUIDs in general. The approach taken by us in Owl (many years ago, but only widely publicized now) and the one being taken by Fedora now are completely different (SGID and changes elsewhere in the system in Owl vs. fscaps in Fedora). The purpose of my criticism was to make other folks, including Fedora developers, consider the issues and the alternatives. It was not to discourage them from taking the move, but rather to give them an opportunity to consider our approach, which we consider to be the better and "real" one.

With our approach implemented in Owl, a used-to-be-SUID program runs SGID to a group dedicated to a certain purpose - e.g., editing a user's crontab. Other parts of the system have been modified such that privileges of that group are sufficient for but can't be expanded further than its intended purpose - e.g., permissions on /var/spool/cron and extra checks in crond (for crontab file ownership and more) are such that a possible compromise of group crontab would not give the attacker almost anything - no ability to edit another user's crontabs without also finding a (second) vulnerability in crond or in system components relied upon by crond. Yes, we could as well not use SGID - just make the crontab program fully unprivileged and the /var/spool/cron directory writable by anyone (the sticky bit prevents messing with another user's existing crontabs). The reasons why we chose to use SGID and a group are: (1) this is needed to prevent some DoS attacks (such as taking up another user's would-be crontab filename) and (2) it is an extra layer of security (so direct attacks on crond are not possible without compromising crontab first). Our changes to crontab/crond have since been adopted by ALT Linux, OpenBSD, and even by upstream ISC (Vixie) cron (but most distros somehow don't hurry to make use of this functionality, continuing to install crontab SUID root...)

Fedora's approach is to replace SUID root with fscaps - that is, the programs are still granted a lot of privilege, just somewhat less than they were with SUID root. In many cases (perhaps even in most, where ping might be the only exception), such capability sets are in fact root-equivalent, so this is sweeping SUIDs under the rug. Also, there's no second layer of security. See the difference?

Re:Not Trolling?

[MichaelSmith]

By definition, it's impossible for open source software to practice security through obscurity.

When you have mass quantities of obscure code it is certainly possible to do that for a while.

Re:Not Trolling?

[metrix007]

I am getting modded down because zealots have modpoints.

Most people who use Linux don't review the code nor should they be expected to. We should expect the developers to disclose security problems in a responsible way. They don't, they obscure them.

So yes, the developers do practice security via obscurity. DO I really need to go and link the interview on kerneltrap where they say and defend that practice?

Re:VMWare support? RAM requirements?

[JSG]

There's always pfSense as an alternative to m0n0wall. I run many of those under VMWare.

I chose it for its easy multi external link capabilities, after I gave up on Linux for this and was pleasantly surprised by its ease of use, stability and huge range of features.

It is nearly bullet proof as I discovered when one of a customer's VMFS died. All the other VMs fell over immediately but the pfSense router carried on running without its "hard disc" for two days before I replaced it. Internet access downtime was 2 seconds as I cut it over. Admittedly the web interface vanished but the routing, VPNs, firewall etc carried on running.

As to OWL, its a Linux distro so it will have no problems with being a VM - that's the whole point of virtualization. You might have to select "Linux other (64 bit)" but my many Gentoo's run happily like that

Why on earth should the devs even think about VMWare, HyperV, KVM or whatever - that's your job! Apart from considering making the guest tools pre-packaged what should they be doing? I doubt they care whether you spec your boxen from Dell. HP, IBM or PC World so why should they care whether it is physical or VM?

As to asking about RAM requirements - I'd suggest (without even having looked at it) >=256Mb depending what you do with it. I've no doubt that fact is covered on their web site. If you are using ESXi and not just playing on your home PC then the answer would probably be "who cares, RAM is cheap as chips"

Go on - try it, I might even do the same.

Cheers
Jon

PS You have a 5 digit /.ID. Have you been moonlighting on other OSs for the last 10 years, asking such questions 8)

Re:Not Trolling?

[AaronLS]

So if I release a program that encrypts data by XOR'ing all bits, it is not security through obscurity simply if I release it as open source? That is the classic example of security through obscurity, and making it open source doesn't change that. The open source aspect of it only means that people will potentially discover this problem.

If you've ever released something on source forge you should compare your stats regarding people accessing the source code versus downloads. You will find the source code is next to never downloaded if you are providing binaries.

Re:Not Trolling?

[MichaelSmith]

The typical definition of "security through obscurity" refers to hiding bugs and vulnerabilities by keeping the design and implementation secret via closed source.

No it means placing a reliance on something which is hard to find. If I hide my house key under a pot plant in my front yard I am relying on the obscure location of the key. The garden is open source. Anybody can search it.

Re:VMWare support? RAM requirements?

[solardiz]

I'm interested in this for a VMware guest OS, as a possible alternative to m0n0wall. Have the authors thought about that kind of implementation

Yes, Owl 3.0 works in VMware out of the box. We mostly run it in QEMU and VirtualBox for our VM-based testing, though.

BTW, you might find it curious that when you run Owl in a VM like this, you can further create OpenVZ containers with multiple instances of Owl and with other Linux distros inside that single running copy of Owl. Such container-based virtualization has no further performance overhead. :-)

How much RAM does it need to run adequately?

128 MB is plenty, probably a lot less will do. I have my QEMU set to its default of 128 MB when I do install-tests with new Owl ISOs. Also, my Owl-based router and small fileserver at home has 128 MB RAM (runs the default-enabled set of Owl services plus ntpd, named, pppd/pppoe, openvpn, squid, NFS, and a sometimes a few lftp's and ctorrent's under screen).

On the other hand, of course you may need a lot more RAM for your specific uses of Owl - e.g., to run many OpenVZ containers, to do web hosting, etc. We currently administer several 32 GB RAM machines running Owl and one 64 GB RAM machine, as well as a countless number of 4-16 GB machines - so we know Owl has no problem with these larger RAM sizes as well (and with the many OpenVZ containers running various Linux distros actually making use of this RAM).

Re:Not Trolling?

[AaronLS]

You obviously don't know what code obfuscation is. Code obfuscation involves modifying code or the compiled binaries to obfuscate code. I didn't describe anything that involves manipulating code or the program itself. Such a step usually I explicitly said "encrypts data by XOR'ing all bits". The keyword is data. Where did I say anything about obfuscating the source code? I didn't. This has absolutely nothing to do with code obfuscation. You obviously know absolutely nothing about security because you don't even know the basic definition of common terminology.