Bug 1171174 - security enhancement: no setuid
security enhancement: no setuid
Status: NEW
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: MicroOS
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Kubic Bugs
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-05 11:42 UTC by Ludwig Nussel
Modified: 2022-07-25 08:18 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2020-05-05 11:42:16 UTC
setuid binaries are a potential attack vector for privilege escalation. MicroOS with it's limited scope has chance to close that hole by default and not ship any binaries with elevated privileges by default. Ie set the default level to "paranoid". This will prevent unprivileged (system) users from potentially exploiting

- shadow suite tools like passwd, chsh etc
- pam helpers unix{,2}_chkpwd
- wall, write
- clockdiff, ping
- dbus-daemon-launch-helper
- su
- sudo
- mount
Comment 1 Ludwig Nussel 2020-05-05 11:43:36 UTC
Forgot to mention newuidmap and newgidmap (bug 1171173)
Comment 2 Georg Pfuetzenreuter 2022-07-22 06:23:56 UTC
Hi!

According to your comment the default permission set on SLE Micro should be "paranoid". Indeed, the `config.sh` script in https://build.opensuse.org/package/view_file/SUSE:SLE-15-SP4:Update:Products:Micro53/SLE-Micro/config.sh?expand=1 "attempts" to change the security setting with a reference to this bug but due to not specifying the "-i" flag in the `sed` line the change is merely printed and never actually written to the file:

```
# fix security level (boo#1171174)
sed -e '/^PERMISSION_SECURITY=s/easy/paranoid/' /etc/sysconfig/security
chkstat --set --system
```

This can be confirmed in `/etc/sysconfig/security` on a fresh copy of the SLE Micro .raw image:

```
PERMISSION_SECURITY="easy local" 
```


Is this expected? Maybe I am missing something! :-)

Best,
Georg
Comment 3 Ludwig Nussel 2022-07-25 08:18:54 UTC
Good catch. Unfortunately I can't find any records about who put that there. Looks like even the first SUSE-MicroOS had while the never was on openSUSE side. Would be interesting to see the fallout when fixing that for the next SLE-Micro version :)