Re: [GIT PULL] kdbus for 4.1-rc1

[Eric W. Biederman]

Tom Gundersen <teg@xxxxxxx> writes:

> Moreover, the daemon performing the shutdown tasks is necessarily
> always privileged enough to do so, so calling into the kernel and see
> what happens is completely the wrong thing to do (it would simply
> succeed). What matters is if the client calling the daemon is
> sufficiently privileged. If the client has the capabilites necessary
> to call the reboot syscall directly, it makes no sense to disallow
> them from doing a clean reboot. It would be like giving someone access
> to pull the power plug, but not allow them to shutdown the machine
> cleanly.
>
> To conclude, the kernel makes the decision for allowing reboot() to
> succeed based on CAP_SYS_BOOT, so when we decide whether or not to
> perform the preparation steps, we really must also use CAP_SYS_BOOT.
> If we are more restrictive, it does not gain us anything as people
> with CAP_SYS_BOOT can just circumvent our logic and "pull the plug" by
> calling reboot() directly. If we are less restrictive and for instance
> check for uid==0 it would essentially mean that we have added a way to
> circumvent the dropping of CAP_SYS_BOOT.

*Blink*  Privilege escalation via CAP_SYS_BOOT *Blink*

*Puts on black hat*

HeHeHe.  You mean all I need to do to get around all of the logging servers is
capture CAP_SYS_BOOT?  Say like just capture this crazy watchdog program
that doesn't run as root so that it can only reboot the system? HeHeHe
So I can just trigger a clean reboot wait for journald, auditd, and
syslog all to shut down and then do evil things to the machine without
having to worry about erasing forensic evidence?

Bahahaha! This looks like fun I should play with this.

*Takes black hat off* 

Seriously it does not make sense to reuse these bits for purpose to
which they were not designed.   A reboot proceeded by a clean shutdown
is something different from a reboot that skips all of those steps.

I can understand the concerns about not wanting to allow circumventing
dropping CAP_SYS_BOOT but even with that concern in place I think it is
silly.  That isn't what CAP_SYS_BOOT means.

Over the long term userspace doing weird things like this will mean that
we will have the change the kernel to add
CAP_SYS_BOOT_THIS_TIME_I_MEAN_IT.  And have that control the reboot
system call and have the existing CAP_SYS_BOOT be some kind of token for
userspace.

Instead of going down that rat hole it would be much better for
userspace to figure out a token of their own.  Perhaps a file descriptor
certain privileged processes can pass, perhaps something else.

The bottom line is that I tend to suck at figuring out how to exploit
systems and I saw an exploit possibility with the extended privileges
you granted to CAP_SYS_BOOT nearly instantly.

I can't imagine how kernel capabilities are the right too for this kind
of job.

Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/