diff options
Diffstat (limited to 'SECURITY')
-rw-r--r-- | SECURITY | 244 |
1 files changed, 244 insertions, 0 deletions
diff --git a/SECURITY b/SECURITY new file mode 100644 index 00000000..e0fa68a5 --- /dev/null +++ b/SECURITY @@ -0,0 +1,244 @@ +MusE Security Information +========================= + +In order to operate reliably at low latencies, MusE needs root privileges. +For a stand-alone computer in a home environment, this is not a problem. +However, on networked machines with multi-user access, there are some security +issues to be aware of. + + +Why does MusE require root privileges ? +--------------------------------------- + +1. +MusE must set the real time clock (/dev/rtc/) to a higher rate in order to get +a more precise timing source than the standard setting would allow. +For this task, it is *not* sufficient to alter the permissions or group of +/dev/rtc. You need root access. + +2. +The MusE audio threads must acquire real-time scheduling to perform with low +latency and free of dropouts. Since this could be misused for a local +denial-of-service attack (you can hog 100% cpu with a real-time task, thus +effectively making the system unusable), only root is allowed to do that. + + +Do I need to be root to run MusE ? +---------------------------------- + +No. You should not do normal work as root. Use the root login exclusively for +administrative tasks. You can run MusE as a normal user, provided you have set +the *suid bit*. +This is done automatically when you build and install MusE. + + +How does this "suid bit" thing work ? +-------------------------------------- + +Normally, when a program is started, it gets the user and group id of the user +who started it, and thus has the same permissions as the user. It can read and +write the same files and use the same devices. + +Some applications need higher privileges to perform certain tasks, but must be +available to normal users. To accomplish this, UNIX-like systems have the +concept of the "effective user id". + +That means you can start a process, but the effective user id will be someone +else's, most likely that of the root user. You can recognize such programs by +the suid (for set-user-id) bit in their permissions. + +For example, when you do + + #ls -l /bin/ping + +you will see something like + + -rwsr-xr-x 1 root root 20908 Feb 27 2001 /bin/ping . + +This tells you it's a normal file (the first dash), it is readable and writable +by the owner (root) and has the owner's suid bit set (the letter "s"). +You may invoke it as a normal user, but the program will have root permissions +while it runs. + +(Btw, there is also an sgid (set-group-id) bit, which allows a program to be run +with the permissions of the group it is owned by. This can be used for +finer-grained access control to some programs but is rarely used in practice.) + +(Btw2, the letter "s" actually means both "executable" AND "set-{user,group}-id". +A capital "S" stands for "set-uid" without the execution privilege, which also +very rarely seen on real systems.) + + +What is the problem with suid programs ? +---------------------------------------- + +suid programs are safe as long as you can be sure they do only the job they were +written to do. For instance, you certainly want users to be able to do a ping, +but you wouldn't want them to wipe out the system disk while doing it. + +Unfortunately, there is a very common vulnerability in many programs called a +buffer overflow, which allows an attacker to spawn a shell from within a suid +program that inherits the permissions, giving him or her root access to the +entire system. +This exploit is fairly easy for an experienced attacker. All that's needed is +the compiled equivalent of the C expression execve("/bin/sh"), which can be +inserted into the running program whenever it does not check the length of user +input properly, by overflowing a buffer and thus overwriting a part of +the program code with the shell exploit code. + +The more complex a program becomes, the more likely buffer overflow +vulnerabilities slip in. + +If you are interested in details of such attacks, I recommend AlephOne's paper +"Smashing the stack for fun and profit", to be found in Issue 49 of Phrack +Magazine (http://www.phrack.com/show.php?p=49&a=14). + + +Does MusE have buffer-overflow vulnerabilities ? +------------------------------------------------ + +It may. But even if it had not, it is good practice to assume it does. +As soon as you are in a security-critical environment, you should treat all suid +programs with extra care unless they are proven to be secure. + +This is a gruesome and boring task, and we all want Werner to concentrate on +cool new features rather than digging through the code to fix loopholes that +aren't even a problem for 99% of the MusE users. +MusE does not need to be as secure as server daemons. It is intended for home +use in a trusted environment. +If you run MusE on your company's primary DNS server, it's your fault. + +But even home machines can become targets for intruders the moment they connect +to the internet. Since almost all of the machines than run MusE are occasionally +used to surf the web, it might be worth taking a few precautions. + + +What can I do to minimize the risk of a suid program ? +------------------------------------------------------ + +By default, Werner drops the root privileges in MusE's GUI thread - only the +audio threads keep it. This rules out many possible exploits, since GUI code is +usually the hardest to make secure. + + +As a further very simple yet effective security precaution, you can create a +group of trusted users, and give only this group access to critical suid +programs. For example, you might create a group called musers, of which you and +your best friend are members. Then you can set the muse binary as follows: + + #chown root:musers muse + #chmod 4750 muse + #ls -l muse + -rwsr-x--- 1 root musers 20930049 Aug 28 19:34 muse + +Now only members of the group musers can use MusE, Joe Random Hacker can not. +(However, if your account is hacked, MusE can then be exploited to gain root, +but hey...) + +Additionally, you can use "givertcap" as described in the next section. + + +What is givertcap and how do I use it ? +--------------------------------------- + +"givertcap" (give real-time capabilites) is a small wrapper written by Tommi +Ilmonen. +When enabled, it is executed by MusE and gives to it just the capabilities +needed to set the timer and get real-time scheduling, but not the full set of +root privileges. This greatly reduces the amount of damage that can be done. + +However, it is not used by default, since it requires a kernel modification. + +To enable givertcap, simply call ./configure --enable-rtcap before compiling. +(The givertcap code is part of the MusE distribution.) + +With current kernels, you need to apply a little patch to the kernel headers: +Go to /usr/src/linux/include/linux (or wherever you have your kernel sources) +and in the file capability.h change the line + + #define CAP_INIT_EFF_SET to_cap_t(~0&~CAP_TO_MASK(CAP_SETPCAP)) +to + #define CAP_INIT_EFF_SET to_cap_t( ~0 ) + +and the line + + #define CAP_INIT_INH_SET to_cap_t(0) +to + #define CAP_INIT_INH_SET to_cap_t( ~0 ) +. + +You must then recompile your kernel. + +In this setup, givertcap must be set suid root, but MusE can be run with normal +privileges. +Now all possible suid exploits described above apply to givertcap, but since it +is such a tiny program, it can be checked for exploits far more easily and can +be considered reasonably secure. + +Unfortunately, givertcap can be used to grant real-time privileges to *any* +program, so it's an easy way to have the machine clogged up by a malicious user +who might run bogus tasks at 100% system usage. +Therefore, you *must* create an extra group for it (called "musers" in this +example): + # chown root:musers givertcap + # chmod 4750 givertcap +Do not forget to remove the suid bit on muse afterwards by doing + # chmod 755 muse +. + +For more information about givertcap and kernel capabilites, see +http://www.tml.hut.fi/~tilmonen/givertcap/ +and +http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2. +txt. + + + +Further reading: +================ + +General Linux system security: +http://linuxdoc.org/HOWTO/Security-Quickstart-HOWTO/ +http://linuxdoc.org/HOWTO/Security-HOWTO.html + +Secure Linux programming: +http://linuxdoc.org/HOWTO/Secure-Programs-HOWTO/ + +Permissions: +man chmod +man chattr + +givertcap: +http://www.tml.hut.fi/~tilmonen/givertcap/ + +An alternative approach, using a kernel module: +http://arctrix.com/nas/linux/capwrap.tar.gz + +Kernel capabilites: +http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2. +txt + +Adding capability flags to ELF files: +http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html + + +Buffer Overflow attacks: +"Smashing the stack for fun and profit" by AlephOne 1996, published in +Phrack magazine, issue 49 +http://www.phrack.com/show.php?p=49&a=14 + +In the MusE source, app.cpp contains the invocation of givertcap and the +dropping of the suid privileges: grep for "getCapabilities" and "setuid" to see +how it's done. + +________________________________________________________________________________ + + +This document was written by Jörn Nettingsmeier +<nettings@folkwang-hochschule.de> +Corrections and improvements welcome. + +Thanks to Werner Schweer and Tommi Ilmonen for answering my questions. + +Last updated 02/22/2002. + |