undefined | Better HN

0 pointsbinarycrusader10y ago0 comments

OpenBSD is not unique here; Solaris has a "whole-system approach" to development as well, and has had the ability for programs and admins to easily do privilege drop or provide privilege separation for many years now.

Not only that, Solaris allows you to wrap programs without any source modifications easily using ppriv to drop or add privileges as required.

Almost every slide in the presentation that talks about how you would use the proposed pledge() interface applies to Solaris' privileges model as well.

Some relevant examples:

http://www.kernelthread.com/publications/security/solaris.ht... http://docs.oracle.com/cd/E23823_01/html/816-4863/ch3priv-25...

Solaris' role-based access control and advanced privileges model even lets you implement things like only allowing someone to become 'root' if both them and another person logs in at the same time. Think of the "two-keys required to unlock this door" sort of approach to security:

https://blogs.oracle.com/gbrunett/entry/enforcing_a_two_man_...

0 comments

LukeShu10y ago

My point about OpenBSD having a "whole-system approach" was that the interface isn't necessarily general (yet); it just needs to meet the needs of the OpenBSD team as they exist today. When they realize it has a limitation, they can change it, no fuss, because they can commit to the whole system.

That said, Solaris' facilities seem useful, but from the documentation you linked, seems much more complicated than pledge(). They look similar conceptually, but Solaris' seems to be much more complicated to actually use.

binarycrusaderOP10y ago

The examples provided are some of the more complex cases that let you do advanced things.

You can shrink the amount of code required if you limit it to more simple cases as those shown in the slides.

For example, as derived from the OpenBSD presentation:

  if (pledge("stdio fattr", NULL) == -1):
     err(1, "pledge");

A similar (not completely equivalent, since OpenBSD chose some "interesting" definitions for their privileges, and is admittedly untested) example for Solaris might be:

  priv_set_t *tmp = priv_str_to_set(
     "PRIV_FILE_READ PRIV_FILE_WRITE PRIV_FILE_CHOWN_SELF",
     " ", NULL);

  /* Assert required privileges. */
  if (setppriv(PRIV_ON, PRIV_PERMITTED, tmp) == -1)
    err(1, "setppriv permitted");
  if (setppriv(PRIV_ON, PRIV_EFFECTIVE, tmp) == -1)
    err(1, "setppriv effective");

  priv_inverse(tmp);

  /* Drop all privileges not required. */
  (void) setppriv(PRIV_OFF, PRIV_PERMITTED, tmp);

The big difference, I think, between the Solaris interfaces and the OpenBSD ones are that Solaris allows the process to temporarily drop privileges and then add them back, or permanently drop them. From the proposed OpenBSD interfaces, it looks they only allow the permanent drop model.

There are a few convenience wrappers that might simplify the above further, but the real point is not to compare efficiency of interfaces, but capability.

Also, Solaris offers the ability to restrict privileges of programs without source code modification (imagine a program you don't quite trust and don't have the source code to). I didn't see that in the OpenBSD presentation.

In their defense, they're also clearly still working on these interfaces, so there can't yet be a fair comparison. Solaris has had privilege interfaces for over a decade, so the model presented is a bit more mature obviously.

The only thing I'd mention is that Solaris tries to provide a default set of privileges that represent things closer to administrative boundaries, rather then implementation-specific ones, as implementation can change, but the basic high-level operations do not.

For example, Solaris has a file read/write privilege, but doesn't bother letting you restrict the ability to set file timestamps separately because that doesn't seem like a useful thing to do. It does however, provide separate privilege(s) for manipulating ownership of files, since that's clearly a different category of operations. OpenBSD currently seems to be focused on the implementation instead of the administrative-level operations being performed.

LukeShu10y ago

Thanks for the reply! I've got several responses, that are mostly unrelated to eachother.

1. "interesting definitions": As you note, "OpenBSD chose some 'interesting' definitions for their privileges". This was the core of my original thesis: because of the whole-system approach, they were free to choose "interesting" definitions that closely matched their current-implementation-specific usage patterns, making the whole thing more convenient, but less general. That's all my original post was trying to say.

2. code size: I see that conceptually these 2 code samples work similarly, but one has 5x more LOC.

3. dropping and picking up isn't really dropping: If I drop privileges, but can pick them back up, then if I decide to misbehave, picking them back up is just something I do first. Dropping them with the possibility of picking them up is security theater, not actual security.

4. sandboxing is addressed in other presentations: Earlier presentations explain why having tools to restrict the privileges of programs without source modification is inadequate; a common pattern for programs is that they require some privileges during start up, but then don't need them for the rest of execution; a source-unaware mechanism would have to allow the start-up privileges for the entire execution. Otherwise, it's not too different than existing priv-sep tools.

5. pledge() isn't about administrative privileges, it's about code vulnerability mitigation. Security tools around administrative boundaries are important, sure. But that is fundamentally not the problem that pledge() is trying to solve; pledge is /mitigating/ against vulnerabilities in the /implementation/ of the program. It's saying "for the remainder of my execution, I should only do these types of operations; if I try to do anything else, I have cracked & compromised."

1 more reply

j / k navigate · click thread line to collapse

0 comments

LukeShu10y ago

binarycrusaderOP10y ago

The examples provided are some of the more complex cases that let you do advanced things.

You can shrink the amount of code required if you limit it to more simple cases as those shown in the slides.

For example, as derived from the OpenBSD presentation:

  if (pledge("stdio fattr", NULL) == -1):
     err(1, "pledge");

A similar (not completely equivalent, since OpenBSD chose some "interesting" definitions for their privileges, and is admittedly untested) example for Solaris might be:

  priv_set_t *tmp = priv_str_to_set(
     "PRIV_FILE_READ PRIV_FILE_WRITE PRIV_FILE_CHOWN_SELF",
     " ", NULL);

  /* Assert required privileges. */
  if (setppriv(PRIV_ON, PRIV_PERMITTED, tmp) == -1)
    err(1, "setppriv permitted");
  if (setppriv(PRIV_ON, PRIV_EFFECTIVE, tmp) == -1)
    err(1, "setppriv effective");

  priv_inverse(tmp);

  /* Drop all privileges not required. */
  (void) setppriv(PRIV_OFF, PRIV_PERMITTED, tmp);

There are a few convenience wrappers that might simplify the above further, but the real point is not to compare efficiency of interfaces, but capability.

LukeShu10y ago

Thanks for the reply! I've got several responses, that are mostly unrelated to eachother.

2. code size: I see that conceptually these 2 code samples work similarly, but one has 5x more LOC.

1 more reply

j / k navigate · click thread line to collapse