[Zope-dev] startup security status (say that five times fast... well, ok, it wasn't so tough after all)
Behrens Matt - Grand Rapids
Matt.Behrens@Kohler.Com
Wed, 24 Oct 2001 07:35:27 -0400
I have a patch in hand that addresses MOST of the issues I brought up,
but the biggie (tricking root into killing arbitrary processes) is a
hard one to solve. I have many options, and I'd like opinions...
Right now, the pid file is written out by the user that ZServer drops to
after starting. This is bad because if that user is compromised, the
pid file can be overwritten, and root can be tricked into killing (an)
arbitrary process(es) the next time 'stop' is run.
The obvious solution was to move the writing of the file up before the
setuid() call. Now, the unprivileged user can't *change* the pid file.
However, because the var directory must be writable by the
unprivileged user, the unprivileged user can *remove* then *rewrite* the
pid file, and we're back where we started.
Solutions:
1. Have the stop script check ownership of the pid file to make sure
it's still root's baby. This solution seems easiest, but something
about it doesn't seem right to me. When something doesn't feel right to
me, there's probably a way to fool it...
2. Enforce the sticky bit on the var directory. From Solaris' chmod(2)
manpage:
If a directory is writable and has S_ISVTX (the sticky bit)
set, files within that directory can be removed or renamed
only if one or more of the following is true (see unlink(2)
and rename(2)):
o the user owns the file
o the user owns the directory
o the file is writable by the user
o the user is a privileged user
(Privileged user means 'root'.) We only need to enforce the sticky bit
if we start as root and are doing the requisite setuid(). My patch
already has a test for this.
3. Have the pid file written into another directory that only root can
write to.
The rest of this should probably be another mail, but I figured I'd
cover what my patch also does:
1. No longer defaults to running as 'nobody'. As I've explained,
running as 'nobody' and the requisite permission settings that need to
go with running as 'nobody' can set your Zope data up for compromise on
your local system. If -u is not specified z2.py will SystemExit.
2. Warns you if you decide that you REALLY want to run as 'nobody',
either with -u or by being nobody when starting z2.
3. Tells you when and who it actually setuid()s to.
4. Warns you if your umask isn't sufficient to protect your data files
(experiment: pack your Data.fs and check its permissions.)
All messages in this patch are going through zLOG for cleanliness' sake.
--
Matt Behrens <matt.behrens@kohler.com>
System Analyst, Baker Furniture