914705 – localed: dropping caps is ineffective

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 914705 - localed: dropping caps is ineffective

Summary: localed: dropping caps is ineffective

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	systemd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	systemd-maint
QA Contact:	Jan Ščotka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-02-22 15:04 UTC by Miloslav Trmač
Modified:	2014-06-13 13:17 UTC (History)
CC List:	3 users (show)
Fixed In Version:	systemd-206-4.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 13:17:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Miloslav Trmač 2013-02-22 15:04:11 UTC

systemd-{hostnamed,localed,timedated} are some of the few auto-activated D-Bus services running as root (i.e. possible privilege escallation paths) that are available in the minimal install.  (systemd-logind is presumably mandatory.)

Please consider splitting them into a subpackage that can be removed.  (If that were impossible, modifying them to run as a non-root user would also be an improvement, but the ability to remove them would be preferred.)


Version-Release number of selected component (if applicable):
Tested on Fedora 18 minimal install.

Comment 2 Lennart Poettering 2013-03-08 02:43:29 UTC

They already run at minimal capabilities (try "pscap"!).

Comment 3 Miloslav Trmač 2013-03-11 14:26:28 UTC

(In reply to comment #2)
> They already run at minimal capabilities (try "pscap"!).

Thanks, I'm not sure how I missed that.

Running the services as a non-root user would still be preferable (because root owns most of the system files, and no capabilities are necessary to chmod() and overwrite them).


Anyway, reopening for a different reason: the localed capability restriction doesn't work.


It seems that /usr/lib/systemd/system/dbus-org.freedesktop.locale1.service is trying to remove all capabilities:
> CapabilityBoundingSet=
but per systemd.exec(7) and load-fragment.c:config_parse_bounding_set(), this resets the bounding set to "no restrictions" instead of removing all entries.

pscap confirms:
1     27007 root        systemd-localed   full

Comment 4 Kay Sievers 2013-03-11 15:17:39 UTC

(In reply to comment #3)
> Running the services as a non-root user would still be preferable (because
> root owns most of the system files, and no capabilities are necessary to
> chmod() and overwrite them).

Hmm, any recommendation how to keep the ability to read all of /proc for all
processes on the system? The journal needs to be able to do that, and that's
the main reason we run as root atm.

Comment 5 Miloslav Trmač 2013-03-11 15:31:28 UTC

(In reply to comment #4)
> (In reply to comment #3)
> > Running the services as a non-root user would still be preferable (because
> > root owns most of the system files, and no capabilities are necessary to
> > chmod() and overwrite them).
> 
> Hmm, any recommendation how to keep the ability to read all of /proc for all
> processes on the system? The journal needs to be able to do that, and that's
> the main reason we run as root atm.

I really haven't looked at the details of what journald needs; however if it really needs to use all of the capabilities that it currently keeps, based on a comparison with http://forums.grsecurity.net/viewtopic.php?f=7&t=2522 it's a lost cause - with these capabilities journald will have enough privileges to gain full system control anyway.  (Well, SELinux restrictions will still aply, but that's orthogonal to the UID question, and to some extent to capabilities as well.)

(The journal request was in a different bug; this bug is about {hostnamed,localed,timedated}.)

Comment 6 Lennart Poettering 2013-03-11 17:53:00 UTC

The mechanisms need to read and write files owned by root. It would be really nasty dropping UID for that, unless we want to get into awful stuff such as setfsuid().

In general I believe it's a better idea to have root daemons with as many caps dropped as possible, with sane code rather than non-root daemons whith certain caps addedd, with awful code that uses setfsuid() all the time.

Comment 7 Miloslav Trmač 2013-03-12 11:11:38 UTC

(In reply to comment #6)
> The mechanisms need to read and write files owned by root. It would be
> really nasty dropping UID for that, unless we want to get into awful stuff
> such as setfsuid().
> 
> In general I believe it's a better idea to have root daemons with as many
> caps dropped as possible, with sane code rather than non-root daemons whith
> certain caps addedd, with awful code that uses setfsuid() all the time.

Right, if the code has privileges, running as root makes it more obvious that the administrator needs to be careful.

The change I was thinking about (at least in the case of localed, which seems to be completely unprivileged?) is to just run the daemon as an ordinary unprivileged user ("localed"), and make the files (group-?) owned by the same user "localed".  However that won't work when they are placed in /etc, because localed won't be able to create a temporary file and rename() in that directory.  Oh well, hindsight...


So, I suppose, we are left with the $subject of this bug report - localed running with unrestricted capabilities.

Comment 8 Lennart Poettering 2013-03-22 22:28:03 UTC

Fixed in git.

Comment 9 Harald Hoyer 2013-08-09 11:51:06 UTC

systemd-206-4.el7

Comment 11 Jan Ščotka 2014-01-23 11:58:25 UTC

Hi, capabilities applied

#getpcaps `pidof systemd-localed`
Capabilities for `3533': =ep cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36-ep

Comment 12 Ludek Smid 2014-06-13 13:17:40 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.