Kris Warkentin wrote:
I AM paranoid about security and I know that QNX is not the most secure beast
out there. We ARE getting better though. Our TCP/IP stack actually produces
random sequence numbers now…> > We’re getting more and more small devices
(that might be running QNX) attached to public networks and security is
becoming a bigger focus. It has to if you don’t want some script kiddie
h4X0r1ng your refridgerator. That’s why I wouldn’t every make something suid
root if there is an alternative. I think that just not displaying certain
information if the user is not root is a small price to pay.
Good to have at least one paranoic in QNX. May be you indeed will force
them into respecting security issues
Keep in mind though, stricter security is almost always inconvinience
for users. Depending on who your users are, what they are doing and what
environment they’re normally working in, annoyance and inconvinience
coming from stricter security might very well outweigh feeling of
safety.
In this case, not having swap usage would certainly be inconvinient
since one can’t see what the whole situation with memory is without that
data. Note that most users will be using system in ‘personal’ way and
they will be admins for themselves. Such people fall into 2 categories:
those always working under ‘root’ (presumably bad boys) and those
working under regular UID while using root only for administration
purposes (presumably good boys). Guess who will suffer if spin is not
SUID root? No good deed goes without punishment …
That said, next update will not insist on being root, although ‘make
install’ will still set SUID. That gives all security paranoid users
flexibility to choose for themselves - if you install it with SUID it
will be more convinient, if not - it will be more secure. I’m wondering
what majority of you will choose
Now I’m no expert on h4X0r1ng but just on a quick glance at the spin code,
doesn’t the _cmdname() call return an arbitrary path with length that
should be determined by pathconf()? You’re reading into a buffer of length
_POSIX_PATH_MAX (256) so could not that be overrun? Next thing you know
someone’s smashing your stack and you’re in a world of hurt. This may not
be exploitable
Current handling of SIGWINCH is ugly in the first place. And yes, it is
insecure if spin is SUID root, although if you get nasty and launch spin
using over 255 characters path you’ll more likely get SIGSEGV than hack
into your fridge. Problem with pathconf() is that it needs path and to
get path I apparently need pathconf
I will replace _POSIX_PATH_MAX with PATH_MAX (1024) since that is what I
originally meant anyway. I hope shell will choke before spin is launched
if someone will try to overrun that. And I’m still waiting for someone
to teach me how to handle SIGWINCH in ncurses…
but writing secure code is extremely non-trivial so I’m of
the opinion that nothing should be suid root if it’s possibly avoidable.
Of course, this is all just my opinion so that and $5.00 will get you a cup
of coffee at Starbuck’s. > > Unfortunately my ignorance generally outweighs
my experience so everyone feel free to flame me into submission.
Kris
Igor Kovalenko <> Igor.Kovalenko@motorola.com> > wrote:
Kris Warkentin wrote:
First Igor, thank you for the great utility…I was missing ‘top’ and now
I have something better. Secondly, from a security standpoint, wouldn’t it
be better to just check uid and not display certain info if not root?
If it was sensitive information, yes. But the only reason why it has to
be root is to be able to show swap file usage statistics which hardly
can be considered a security hole. It does not update anything in the
system nor it accepts any input from outside which could be abused.
I’m
paranoid enough to strongly dislike suid executables but I’d like users to
be able to run this program (albiet missing some info) as well.
If you’re paranoid about security to any extent you should not be
running QNX in the first place >
There are more secure systems as I argued many times in the past.
Besides, you have source and can always change it to suit yourself >
Personally I think SUID bit is not dangerous for this particular
application. Certainly not more dangerous than for ‘swapctl’ utility
which needs SUID bit for the same reason. You’re running many other
programs with suid bit without even thinking about it.
–
Kris Warkentin
kewarken@qnx.com
(613)591-0836 x368
“You’re bound to be unhappy if you optimize everything” - Donald Knuth