Hi Theo,
Theo de Raadt wrote on Mon, Sep 14, 2020 at 04:06:08AM -0600:
> Ingo Schwarze <[email protected]> wrote:
>> are used for. Some such file systems may permit SUID and/or device
>> files, so not checking them may be a dubious idea.
> The script could identify mountpoints with safer mount options and
> reduce scanning on them.
>
> That will also encourage admins to use restrictive mount options when
> possible.
I think that is an interesting idea. That would be the patch below.
Given that the function find_special_files() looks for SUID, SGID,
and device files, i suggest this logic: skip a mount point if any
of the following is true:
- it does not have the "local" mount option
- or it has both the "nodev" and the "nosuid" mount options
I don't think explicitly matching the parentheses is needed.
The code below is simpler and possibly even more robust.
There is one minor downside. Some people will once get mails similar
to the following:
Setuid deletions:
-r-sr-xr-x 2 root ... Mar 29 15:58:55 2020 /co/destdir/base/sbin/ping
-r-sr-xr-x 2 root ... Mar 29 15:58:55 2020 /co/destdir/base/sbin/ping6
-r-sr-x--- 1 root ... Mar 29 15:58:56 2020 /co/destdir/base/sbin/shutdown
...
Device deletions:
crw------- 1 ... 79, 0 ... /usr/obj/distrib/amd64/ramdiskA/mr.fs.d/dev/bio
crw------- 1 ... 23, 0 ... /usr/obj/distrib/amd64/ramdiskA/mr.fs.d/dev/bpf
...
Nothing changed on disk, but security(8) now skips some file systems.
Then again, i don't think a one-time mail is a serious problem.
I suspect the "$type" test is obsolete and can be deleted because
i don't think any of the file system types afs, nnpfs, and procfs
are supported nowadays, but since that is unrelated, i'm not proposing
to change that in the same diff. If people agree that should be
deleted, i'll send a separate diff.
> OTOH, Issues complained about a decade late... are often overblown.
Sure, but when somebody has a smart idea (like the one you just brought
forward), there is nothing wrong with polishing small turds, too.
Opinions, concerns, tests, OKs?
Ingo
Index: security
===================================================================
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.38
diff -u -p -r1.38 security
--- security 27 Dec 2016 09:17:52 -0000 1.38
+++ security 14 Sep 2020 11:13:47 -0000
@@ -540,9 +540,10 @@ sub find_special_files {
"cannot spawn mount: $!"
and return;
while (<$fh>) {
- my ($path, $type) = /\son\s+(.*?)\s+type\s+(\w+)/;
+ my ($path, $type, $opt) = /\son\s+(.*?)\s+type\s+(\w+)(.*)/;
$skip{$path} = 1 if $path &&
- ($type =~ /^(?:a|nnp|proc)fs$/ || !/\(.*local.*\)/);
+ ($type =~ /^(?:a|nnp|proc)fs$/ || $opt !~ /local/ ||
+ ($opt =~ /nodev/ && $opt =~ /nosuid/));
}
close_or_nag $fh, "mount" or return;
