Description
In this talk, we will present a project that aims at allowing controlled process
credentials transitions without using setuid executables but instead leveraging
FreeBSD's MAC framework.
Traditional credentials-changing programs, such as sudo(8), have
a non-negligible attack surface as they often include a lot of infrequently used
features and mechanisms that can be dangerous from a security standpoint (e.g.,
loadable modules).
As these programs have to run as 'root', compromising them can have catastrophic
consequences.
The mac_do(4) kernel module has been introduced to allow unprivileged processes
to change credentials, provided the requested changes are explicitly allowed by
rules set by an administrator.
It has recently undergone major changes.
First, thanks to a redesign of rules, it is now possible to specify full sets of
user and group IDs that must be present or absent in the final credentials for
a transition to be accepted.
Second, each jail can be configured with a different set of rules, allowing
different transitions to be allowed as needed, or to inherit from the parent
jail.
We will describe how mac_do(4)'s credentials rules work, what the role of the
mdo(1) companion program is, and what you can do with them in practice.
We will also touch on some aspects of the implementation, notably why we needed
to introduce the new setcred(2) system call, which allows to change all process
credentials in a single call, and possibly those that are related to the use of
some FreeBSD's kernel sub-systems (notably, sysctl, jails and OSD).
While the current implementation is of production quality and immediately
useful, there are lots of possible ways to extend it to cover more scenarios and
to progress towards our ideal of having all credentials-changing programs work
without the setuid bit.
We will present them in the hope to get feedbacks.
| One-line summary | Or how to forego using setuid executables to change users and groups |
|---|
