From owner-freebsd-security Mon Mar 19 20: 1:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D745937B73C; Mon, 19 Mar 2001 20:01:23 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2K40Ih69662; Mon, 19 Mar 2001 23:00:19 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 19 Mar 2001 23:00:18 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Sergey Babkin Cc: security@freebsd.org, Wes Peters , fs@freebsd.org Subject: Re: about common group & user ID space (PR kern/14584) In-Reply-To: <3AB3FC38.94711FFF@bellatlantic.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sergey, Sorry for my long delay in getting back to you with regards to your proposed changes. Let me start by saying I had a number of reactions at various levels (gut, technical, ...) and that one of the interesting aspects about the suggested changes is that they're remarkably self-consistent: most security "extensions" I've seen contain relatively easy-to-find inconsistencies that render them useless against a qualified attacker. My gut reaction to the changes is one of concern: it strikes me that while the changes have a number of nice properties (not least of which is the consistency of them, and that they don't require underlying file system changes), fundamentally there are a few objections that can be made. First, it's a hack, in that it will not be consistently applied across file systems, or even across boots depending on the kernel used. Second, it changes the semantics of well-defined interfaces and primitives such that they are more open than they used to be (a certain class of subject credentials will have a strict superset of the rights they previously had) without providing the application any way to determine if the feature is in effect (no pathconf(), so that leaves direct experimentation, etc). Third, your patches include no attempt to uniformly update documentation referring to users/groups to bring them in sync with the new implementation. Fourth, many applications exist that make strong assumptions about the UNIX protection mechanisms that will no longer hold true (this is related to (3), although not quite identical). Fifth, the resulting system is highly non-portable, in that neither users nor administrators with expectations from other systems (or even from FreeBSD) will be able to apply their knowledge and experience with the mechanism in place, and safety assumptions may no longer hold. Sixth, applications that assume that preserving permissions across certain types of file system operations will no longer behave correctly (for example, when you tar on UFS and untar on NFS). Seventh, it (as you point out explicitly, and by design) intersects two namespaces that have traditionally not been combined in the kernel. Userland code has often made assumptions about mapping uid and gid values, but that has never been a property of the kernel policy. Eighth, it introduces additional hard-coded uid/gid values into the kernel, something we've been trying to move away from (in theory, only two constant values should be relevant, leaving aside default device permissions: uid 0 and the uid used to represent NOVAL in vop_setattr() (which is evil also :-)). Now, none of these is a reason to completely reject the idea. In fact, there's precedent for conditionally compiled divergent security hacks in UFS, in the form of SUIDDIR, which adopts a modified file ownership/creation/inheritence model making for easier use of Samba on closed file servers (it represents a substantial security risk if not on a closee system). Ok, so that was the "gut reaction" and the "why the gut reaction doesn't rule out adding this feature". Let me go onto various other relevant responses. My first response on initial concern that this policy would introduce an "inconsistency". That is to say, based on this modified kernel policy and common uses of it in the userland policy environment, easily exploitable inconsistencies could be found and used to gain privilege. In my initial glance, I was unable to identify such an inconsistency -- that isn't to say it doesn't exist, just that on a quick initial analysis I didn't find one. Hence my comment above on this being relatively unusual :-). On determining that I didn't find any vulnerabilites off-hand, I was interested, as this is both unusual, and the changes bring some nice new system properties. As I said above, there is some precedent for this type of conditionally compiled feature (read: "hack"), and as long as it were clearly documented as such, my reaction is again not a rejection :-). I should take a moment also to respond to your comments on ACLs. In my view, they all apply. ACLs are a pain to deal with, because they increase the already high administrative overhead of managing per-file permissions. Personally, I'm a fan of the AFS ACL model, where protections are present only on directories, hard links are prohibited, and sub-directories inherit protections on creation. I even had an implementation of this on FreeBSD at one point, although it's quite dated now. However, ACLs have a number of things going for them: 1) They are portable. POSIX.1e pretty much defines everything you need to know (not quite) to implement a portable DAC mechanism. Many operating systems implement POSIX.1e with a high degree of compliance. Many applications know about, or are learning about, POSIX.1e. For example, Samba's new ACL support will speak POSIX.1e. 2) They provide compatibility with file modes: if you don't know about ACLs, all the mode commands "just work". This goes for users and for applications. You might not end up with the permissions you expect, but you'll end up with conservative and safe permissions according to the permission model. Applications and users won't make assumptions about UNIX mode compatibility and be wrong, failing open. The result was an even uglier ACL model, but the argument that this was desirable was a strong one. 3) They're widely used and fairly well inspected by a fair number of security types. So while I don't like POSIX.1e ACLs, I decided to implement them because these all seemed to be strong properties that were hard to ignore. Cutting "yet another discretionary access control mechanism" was really out of the question from these perspectives. In a few days, I'll be committing options UFS_ACL to the -CURRENT tree, and the result will be a fairly complete POSIX.1e/POSIX.2c implementation. Some userland tools, such as mv, cp, backup stuff, mtree, will need to be updated, and we have a few more bits of the ACL editing library to finish so as to support applications such as Samba. Other than to strongly caution against using your feature in most situations (especially where portability and safety involving multiple file systems, machines, operating systems, etc), I won't stop you from committing it (especially if you use it locally and with success). I will say that I think divergent and non-portable security models are likely to be more trouble than they are worth, and make my job substantially more complicated (we'll be starting work on a FreeBSD Security Architecture document at some point, and each time a random hack is added, we have to deal with the consequences :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message