Bitcoin Forum
December 08, 2016, 06:15:42 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: [PULL] Capabilities Bounding Set Support (Linux-specific)  (Read 1321 times)
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
May 08, 2011, 03:13:07 PM
 #1

I was asked to create a forum thread so here it is.

In Linux 2.6.32+ the linux kernel had some fun changes to the posix1.e implementation in regards to how the CAP_SETPCAP capability is interpreted by the system and the addition of filesystem meta data support to enable capabilities instead of just blanket suid/sgid binaries.

This patch arose out of discussions in #bitcoin-dev.

Various proposed wallet encryption methods were being discussed at the time by BlueMatt and a few others. The (straw man) argument was proposed that if an attacker were able to get root on the machine any of the proposed methods would be completely compromised. (Re: decode on launch vs decode on txn creation, let's not rehash this discussion here as it is outside of the scope of this patch.)

This is merely one method of mitigating such risks through bitcoind itself. By clearing the bounding set and setting these flags in PR_SET_SECUREBITS the kernel will not let this process ever gain escalated privs. This means that even if, say, an attack vector which allowed for remote execution in bitcoin was found, and let's say the system it is running on has some zero-day exploit in an suid binary. (or a lazy admin, not that I endorse this) Even if the code was executed, the kernel would ignore the setuid flags on the binary and it would still run as whatever user bitcoind was launched at.

The patch as implemented is fairly straight forward.

As written, even if enabled, this patch does absolutely nothing unless the process when launched has the CAP_SETPCAP capability. There are 3 (simple, there are a few others) ways for the process to be created in this way:

1) Launch bitcoind as root. HORRIBLE
2) Set bitcoind setuid root. HORRIBLE
3) Use the setcap utility to: setcap cap_setpcap=eip bitcoind; AWESOME

The only recommended method is the last. This capability is required in order to modify the bounding set of yourself. Please note that if you read older documentation this capability sounds scarier than it is pre-2.6.32 and file metadata capability support this capability would let you modify the capabilities of any process on the machine. This is not the case in 2.6.32+.

Side effects/regressions:

With this option built if bitcoind is launched as root to say, bind to a port <1024 it will no longer be able to do this as this patch completely removes the special meaning of uid 0 in the running process and all children/threads.

This patch does not enable this functionality in the bitcoin gui client. I am not sure if that is worth pursuing; but, I am just not familiar with wxWidgets and did not want to stick it in the "wrong" place.

Pull request:

https://github.com/bitcoin/bitcoin/pull/202

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481220942
Hero Member
*
Offline Offline

Posts: 1481220942

View Profile Personal Message (Offline)

Ignore
1481220942
Reply with quote  #2

1481220942
Report to moderator
1481220942
Hero Member
*
Offline Offline

Posts: 1481220942

View Profile Personal Message (Offline)

Ignore
1481220942
Reply with quote  #2

1481220942
Report to moderator
ribuck
Donator
Legendary
*
Offline Offline

Activity: 826


View Profile
May 08, 2011, 03:27:39 PM
 #2

Is this the same mechanism as used by Fedora's SELinux (security enhanced linux)?
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
May 08, 2011, 03:29:49 PM
 #3

Related, but no.

To my knowledge this is currently available on the following platforms:

Debian stable
Ubuntu
Gentoo
Fedora

I'm not sure that it made it into rhel/centos 6.

Anything that has kernel 2.6.32+ and a libcap2 package available.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!