-
-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tighten up dosemu security #2181
Comments
Regular users can’t give files away like that, so anything requiring a change in ownership won’t work. Groups would work, but that also requires that users belong to the target group so it’s not great. I wonder how much effort it would take to make dosemu2 work in a flatpak, or to have it use bubblewrap to set up its own sandboxing. I don’t think dosemu2 is a high-value target though, so probably not worth worrying about too much ;-). (I don’t mean that improving dosemu2 security isn’t useful, just that it shouldn’t result in worry or stress.) |
Is it a bad practice to have the
Could you please explain in 2 words
That's my thinking as well, and we've |
Ok so bubblewrap uses the chroot-alike |
Right, I’m thinking that a useful way of using something like bubblewrap would be to process mounts and then deny access to anything outside those; for example, once configuration files are processed, no further mounts can be added. This would be annoying for some users so it would be nice if it could be disabled... |
How do you do that with bubblewrap?
No because this is already so for a long So why to bother? Well, mostly because
And this doesn't account for fdpp, |
Perhaps it would help to setup Coverity static scanning from Github? |
Why not? |
I did set it up once for dosemu once, but it will take quite some effort to make dosemu pass the checks cleanly |
We probably don't need to pass them |
I started to experiment with user Does anyone (maybe @ebiederm or @amluto ?) |
Stas Sergeev ***@***.***> writes:
I started to experiment with user
namespaces (which are needed together
with mount namespaces here), and I
don't understand why kernel allows to
only write 1 extent (string) to `/proc/self/uid_map`.
I would like to create 2 mappings: for root
and unprivileged user within the namespace,
mapping to the same unpriv user in the parent
namespace. This way I can create the needed
bind mounts in a mount namespace, and drop
the root privs. But only 1 extent is allowed, unless
you have CAP_SETUID in a parent namespace.
Does anyone (maybe @ebiederm or @amluto ?)
knows why it is so? I looked into `new_idmap_permitted()`
in a kernel, and I think it should be rather
straight-forward to change it to allow multiple
mappings to the same parent's uid. What was
the reason to only allow 1 mapping?
Because the mappings are 1-1. Meaning you can't have the same uid
mapped twice in either direction.
It doesn't matter for setting up bind mounts. The initial user in a
user namespace has all caps (within their user namespace). Which means
in practice the mappings only matter for stat, and exec.
So what I would do is identity map the uid I start with, setup bind
mounts and then drop caps.
Eric
|
Ahha, thanks! Having the multiple mappings to the |
Is there some library to automate the |
Ideally I don't want to do chroot. |
I think I just need to install the |
There appears to be a completely new |
Indeed, not like that. In this scenario, the only priv setup Sounds ok? |
Is there a particular reason to have this for just dosemu? It would seem fitting to use Quebes OS or have another mechanism to separate all programs from each other. I think Snap also has functionality for this to hide a user's regular files. Things that need to be available for a particular Snap need to be inside it's directory below |
dosemu runs untrusted binaries, |
Possibly the easiest way to achieve this would be to configure dosemu to use an image and not let it access any filesystem. |
The configuration is irrelevant. |
Also note that configuration is already |
Can you give an example of an attack scenario that you're trying to address with this ticket? Malicious dos binaries that break out of the dosemu sandbox? |
Exactly. |
How do you see this compared to the current implementations of for example QEMU and DOSBox? I would say it would be unfortunate if each application would reinvent the wheel on its own here. Maybe there are other similar tools that have something that would seem suitable to look at. |
https://qemu-project.gitlab.io/qemu/system/security.html dosbox seems to only have the |
Filled this ticket: |
unlink()'s are currently failing with setuid configuration.
Needed to bypass suid/sgid bits if -s is used.
This option disables the priv-separation sandbox.
Distinguish between a syscall failure, bad arguments or rejected path. Make all errors except syscall errors, fatal. Likewise in mfs.c replaced some checks with asserts.
Filled this ticket: |
clang's ubsan doesn't like the generated code, gcc is OK. I don't know if the UB is real or not, so for now disable only clang's sanitizer, assuming it is a false-positive. See thkukuk/rpcsvc-proto#18 Also disable unused variable warnings, as the generated code has unused variables.
Disabled clang's sanitizer to avoid |
So I retested with your latest suid branch there were no warnings during build or at startup, and it successfully built pcmos without error. |
Ok, thanks, so still no way to |
They say rpcgen is deprecated. |
I used zeromq with msgpack to encode data for comms between different parts of a system before and it wasn't too bad - no sure if it's suitable for this. zeromq handles making sure enough data gets where you want, then msgpack was relatively lightweight. Having said that searpc looks pretty suitable. |
I am under the heavy impression of this:
https://lwn.net/ml/oss-security/CAN_LGv3GAmdpaXVCjwp1UAH_Z6KKDnqydj68Oj4jmXRwwPE=Uw@mail.gmail.com/
and am no longer comfortable with our
minimal security model which is to only
provide the safe defaults.
Now I think something really radical needs
to be done.
My current thinking is to make the dosemu.bin
binary owned by dosemu2:dosemu2 rather
than root:root, and make it setuid+setgid.
The very simple code will need to be added
to setresuid() euid back to the user for the
time of an initialization, and then do setuid()
to switch to dosemu2 permanently, and
access DOS files only with that identity.
This way we avoid dosemu2 from ever
reading any user's files after init. The
user will need to chown all DOS files to
dosemu2:dosemu2 and add himself to
dosemu2 group in order to be able to
access the DOS files as before.
The same trick can be done with
sudo setpriv --euid=dosemu2 --egid=dosemu2
but I think requiring the user to set up
sudoers gives more troubles than to
just use setuid+setgid.
@skitt @taviso everyone, what do you
think? Does this idea sound sensible?
The text was updated successfully, but these errors were encountered: