On Wed, 14 Aug 2024 14:54:20 -0600 Sam Hartman <hartm...@debian.org> wrote: > >>>>> "Daan" == Daan De Meyer <daan.j.deme...@gmail.com> writes: > > Daan> Dear Maintainer, As described in > Daan> https://github.com/linux-pam/linux-pam/pull/373, unix_chkpwd > Daan> does not need to be setuid or setgid anymore if it is given > Daan> cap_dac_override via filecaps instead. I would like debian to > Daan> use filecaps instead of setgid shadow for > Daan> /usr/sbin/unix_chkpwd so that the file itself can be owned by > Daan> root:root and the setgid bit can be removed from the > Daan> file. Having all files in /usr owned by root:root is useful > Daan> for image builders as it allows building debian images in a > Daan> stripped down user namespace with only the root user and > Daan> nothing else available. > > My inclination is to mark this bug wontfix. > The principle of least privilege says that we should not give a > executable more privilege than it needs. > DAC_OVERRIDE is significant privilege--almost certainly enough privilege > to compromise the system entirely. > In contrast, sgid shadow is significantly less privilege. > > I'd like to find a way to support the image building use case, but not > at the expense of security for the rest of the world. > Do you have any suggestions for how we can meet both of our needs?
The setgid is inherited by any eventual child process. On the other hand, capabilities can be limited to the individual process, and stopped from being inherited. IMHO that already makes it more attractive, as the most common avenue for exploit is to trick it into executing something else. It seems unlikely to have ROP gadgets or suchlike readily available in this. On top of that, this is only needed for reading, right? If that's the case, then CAP_DAC_READ_SEARCH can be used, which gives read-only privileges. That is a very lightweight cap, especially as, most likely, the most dangerous thing you can read is the root password, and this is anyway designed to allow the caller to do exactly that. So it seems to me, being able to set cap_dac_read_search=ep would be strictly better than setgid under common circumstances? -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
