summaryrefslogtreecommitdiff
path: root/muse2/SECURITY
blob: e0fa68a5ed072f9a8cc40dc3c85c63aaf383ce10 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
MusE Security Information
=========================

In order to operate reliably at low latencies, MusE needs root privileges.
For a stand-alone computer in a home environment, this is not a problem.
However, on networked machines with multi-user access, there are some security
issues to be aware of.


Why does MusE require root privileges ?
---------------------------------------

1.
MusE must set the real time clock (/dev/rtc/) to a higher rate in order to get 
a more precise timing source than the standard setting would allow.
For this task, it is *not* sufficient to alter the permissions or group of
/dev/rtc. You need root access.

2.
The MusE audio threads must acquire real-time scheduling to perform with low
latency and free of dropouts. Since this could be misused for a local
denial-of-service attack (you can hog 100% cpu with a real-time task, thus
effectively making the system unusable), only root is allowed to do that.


Do I need to be root to run MusE ?
----------------------------------

No. You should not do normal work as root. Use the root login exclusively for
administrative tasks. You can run MusE as a normal user, provided you have set
the *suid bit*.
This is done automatically when you build and install MusE.


How does this "suid bit" thing work ?
--------------------------------------

Normally, when a program is started, it gets the user and group id of the user
who started it, and thus has the same permissions as the user. It can read and
write the same files and use the same devices.

Some applications need higher privileges to perform certain tasks, but must be
available to normal users. To accomplish this, UNIX-like systems have the
concept of the "effective user id".

That means you can start a process, but the effective user id will be someone
else's, most likely that of the root user. You can recognize such programs by
the suid (for set-user-id) bit in their permissions.

For example, when you do

	#ls -l /bin/ping

you will see something like

	-rwsr-xr-x    1 root     root        20908 Feb 27  2001 /bin/ping .

This tells you it's a normal file (the first dash), it is readable and writable
by the owner (root) and has the owner's suid bit set (the letter "s").
You may invoke it as a normal user, but the program will have root permissions
while it runs.

(Btw, there is also an sgid (set-group-id) bit, which allows a program to be run
with the permissions of the group it is owned by. This can be used for
finer-grained access control to some programs but is rarely used in practice.)

(Btw2, the letter "s" actually means both "executable" AND "set-{user,group}-id".
A capital "S" stands for "set-uid" without the execution privilege, which also
very rarely seen on real systems.)


What is the problem with suid programs ?
----------------------------------------

suid programs are safe as long as you can be sure they do only the job they were
written to do. For instance, you certainly want users to be able to do a ping,
but you wouldn't want them to wipe out the system disk while doing it.

Unfortunately, there is a very common vulnerability in many programs called a
buffer overflow, which allows an attacker to spawn a shell from within a suid
program that inherits the permissions, giving him or her root access to the
entire system.
This exploit is fairly easy for an experienced attacker. All that's needed is
the compiled equivalent of the C expression execve("/bin/sh"), which can be
inserted into the running program whenever it does not check the length of user
input properly, by overflowing a buffer and thus overwriting a part of
the program code with the shell exploit code.

The more complex a program becomes, the more likely buffer overflow
vulnerabilities slip in.

If you are interested in details of such attacks, I recommend AlephOne's paper
"Smashing the stack for fun and profit", to be found in Issue 49 of Phrack
Magazine (http://www.phrack.com/show.php?p=49&a=14).


Does MusE have buffer-overflow vulnerabilities ?
------------------------------------------------

It may. But even if it had not, it is good practice to assume it does.
As soon as you are in a security-critical environment, you should treat all suid
programs with extra care unless they are proven to be secure.

This is a gruesome and boring task, and we all want Werner to concentrate on
cool new features rather than digging through the code to fix loopholes that
aren't even a problem for 99% of the MusE users.
MusE does not need to be as secure as server daemons. It is intended for home
use in a trusted environment.
If you run MusE on your company's primary DNS server, it's your fault.

But even home machines can become targets for intruders the moment they connect
to the internet. Since almost all of the machines than run MusE are occasionally
used to surf the web, it  might be worth taking a few precautions.


What can I do to minimize the risk of a suid program ?
------------------------------------------------------

By default, Werner drops the root privileges in MusE's GUI thread - only the
audio threads keep it. This rules out many possible exploits, since GUI code is
usually the hardest to make secure.


As a further very simple yet effective security precaution, you can create a
group of trusted users, and give only this group access to critical suid
programs. For example, you might create a group called musers, of which you and
your best friend are members. Then you can set the muse binary as follows:

	#chown root:musers muse
	#chmod 4750 muse
	#ls -l muse
	-rwsr-x---    1 root     musers     20930049 Aug 28 19:34 muse

Now only members of the group musers can use MusE, Joe Random Hacker can not.
(However, if your account is hacked, MusE can then be exploited to gain root,
but hey...)

Additionally, you can use "givertcap" as described in the next section.


What is givertcap and how do I use it ?
---------------------------------------

"givertcap" (give real-time capabilites) is a small wrapper written by Tommi
Ilmonen.
When enabled, it is executed by MusE and gives to it just the capabilities
needed to set the timer and get real-time scheduling, but not the full set of 
root privileges. This greatly reduces the amount of damage that can be done.

However, it is not used by default, since it requires a kernel modification.

To enable givertcap, simply call ./configure --enable-rtcap before compiling.
(The givertcap code is part of the MusE distribution.)

With current kernels, you need to apply a little patch to the kernel headers:
Go to /usr/src/linux/include/linux (or wherever you have your kernel sources)
and in the file capability.h change the line

	#define CAP_INIT_EFF_SET    to_cap_t(~0&~CAP_TO_MASK(CAP_SETPCAP))
to
	#define CAP_INIT_EFF_SET    to_cap_t( ~0 )

and the line

	#define CAP_INIT_INH_SET    to_cap_t(0)
to
	#define CAP_INIT_INH_SET    to_cap_t( ~0 )
.

You must then recompile your kernel.

In this setup, givertcap must be set suid root, but MusE can be run with normal
privileges.
Now all possible suid exploits described above apply to givertcap, but since it
is such a tiny program, it can be checked for exploits far more easily and can
be considered reasonably secure.

Unfortunately, givertcap can be used to grant real-time privileges to *any*
program, so it's an easy way to have the machine clogged up by a malicious user
who might run bogus tasks at 100% system usage.
Therefore, you *must* create an extra group for it (called "musers" in this
example):
	# chown root:musers givertcap
	# chmod 4750 givertcap
Do not forget to remove the suid bit on muse afterwards by doing
	# chmod 755 muse
.

For more information about givertcap and kernel capabilites, see
http://www.tml.hut.fi/~tilmonen/givertcap/
and
http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.
txt.



Further reading:
================

General Linux system security:
http://linuxdoc.org/HOWTO/Security-Quickstart-HOWTO/
http://linuxdoc.org/HOWTO/Security-HOWTO.html

Secure Linux programming:
http://linuxdoc.org/HOWTO/Secure-Programs-HOWTO/

Permissions:
man chmod
man chattr

givertcap:
http://www.tml.hut.fi/~tilmonen/givertcap/

An alternative approach, using a kernel module:
http://arctrix.com/nas/linux/capwrap.tar.gz

Kernel capabilites:
http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.
txt

Adding capability flags to ELF files:
http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html


Buffer Overflow attacks:
"Smashing the stack for fun and profit" by AlephOne 1996, published in
Phrack magazine, issue 49
http://www.phrack.com/show.php?p=49&a=14

In the MusE source, app.cpp contains the invocation of givertcap and the
dropping of the suid privileges: grep for "getCapabilities" and "setuid" to see
how it's done.

________________________________________________________________________________


This document was written by Jörn Nettingsmeier
<nettings@folkwang-hochschule.de>
Corrections and improvements welcome.

Thanks to Werner Schweer and Tommi Ilmonen for answering my questions.

Last updated 02/22/2002.