oss-sec mailing list archives
Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 26 Sep 2014 12:26:05 -0600
On 26/09/14 12:12 PM, Rich Felker wrote:
On Fri, Sep 26, 2014 at 02:06:21PM +0100, Simon McVittie wrote:Tell everyone to stop using setuid/setgid now and forever?Yes!Minimizing use of setuid/setgid, and making sure the setuid/setgid things are suitably hardened, is a good idea. However, tools for controlled privilege escalation (sudo, pkexec, Apache suexec) rely on setuid in order to work. There's a reason the feature exists at all.These could all be done by having the process with root privileges inherit them from a daemon parent that already has root, rather than requiring the kernel to elevate the privileges of a process via the setuid bit. This inherently eliminates all attacker control of the process's initial state and limits the input/attack surface to the communication channel clients have with the daemon (e.g. a single unix socket).
setuid/setgid is not just for root. For example the Postfix server makes use of various groups and setuid/setgid binaries and directories so that there are well defined interfaces between Postfix components that run with different privilege levels. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- RE: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability), (continued)
- RE: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Sona Sarmadi (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Ramon de C Valle (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Loganaden Velvindron (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Chet Ramey (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Christos Zoulas (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Loganaden Velvindron (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Guido Berhoerster (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Mark R Bannister (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Simon McVittie (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Kurt Seifried (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Kurt Seifried (Sep 26)