CentOS - Feb 2017 - Serious attack vector on pkcheck ignored by Red Hat

On Wed, February 15, 2017 12:23 pm, Gordon Messmer
wrote:
> On 02/15/2017 08:47 AM, Valeri Galtsev wrote:
>> And yes, ALL user writable places (including often overlooked /dev/shm)
>> are mounted with nosuid, nosgid, nodev, noexec options on servers where
>> users are allowed to have shell.
>
>
> How sure are you?
I just run a bunch of find commands before rolling out system to find what
I might not like, e.g. finding all world writable files...:

find / -perm -2 ! -type l -ls
...
> On the system I'm looking at right now
Oh, yes, I must confess, I do not tighten up latest Linuxes, my machines
that do need this level of attitude to users are FreeBSD since long ago.
The last Linuxes that needed that were CentOS 5, so logically, you are
right again. And on CentOS 5, as far as the following list is concerned (I
am just marking those that did not exists there on my boxes):
>, any user can
> write to:
>
/dev/mqueue - NOT on CentOS 5
/dev/shm    - there and was mounted with noexec (and others)
/run/user/<uid> - NOT on CentOS 5
/run/screen/S-<user> - NOT on CentOS 5
/var/spool/samba - NOT on CentOS 5 that needs extra security - in our shop;

but there is /var/spool/mail (needs to be writable for locks if it is mbox
format, not maildir)

/home/<user> - mounted with noexec and friends
/tmp - mounted with noexec and friends
/var/tmp - mounted with noexec and friends

And you are right again, there is a lot of hassle (and using separate
partitions to have them noexec). I guess, I was not too lazy with respect
to security back then (and now too, hopefully ;-)

Valeri
>
> Notably, the "screen" and "samba" locations only appear
when the
> respective packages are installed, so the places users can write may
> vary from system to system.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

On 02/15/2017 12:08 PM, Valeri Galtsev wrote:
> /run/screen/S-<user> - NOT on CentOS 5
> /var/spool/samba - NOT on CentOS 5 that needs extra security - in our shop;

To be pedantic: screen definitely creates a user-writable directory on 
CentOS 5, in a different location, and samba will include that directory 
if installed.  It can be really hard to make sure everything required is 
mounted noexec when some of these directories are automatically created 
by SUID or SGID binaries, in response to user actions.

On Wed, February 15, 2017 2:38 pm, Gordon Messmer wrote:
> On 02/15/2017 12:08 PM, Valeri Galtsev wrote:
>> /run/screen/S-<user> - NOT on CentOS 5
>> /var/spool/samba - NOT on CentOS 5 that needs extra security - in our
shop;
>
>
> To be pedantic: screen definitely creates a user-writable directory on
CentOS 5, in a different location, and samba will include that directory
if installed.  It can be really hard to make sure everything required is
mounted noexec when some of these directories are automatically created
by SUID or SGID binaries, in response to user actions.

Sure, I agree. Screen itself is SGID group screen and no SUID. One needs
to watch for places with group screen write permission, that they do not
live anywhere that is not noexec mounted. And we never had SAMBA whenever
we went to that length in restricting users... All in all virtualization
made our lives easier (I'm using FreeBSD jails to compartmentalize
immiscible things these days, I bet Linux has its lightweight equivalent,
and likely more than one).

Valeri
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++