OpenBSD's new file(1) is now priv-separated (opens in new tab)

(marc.info)

71 pointsnayden11y ago30 comments

30 comments

19 comments · 4 top-level

msl0911y ago· 8 in thread

From my understanding file is a pretty simple program, why does it need to care about privilege separation?

Here are three bug reports for file(1): https://www.freebsd.org/security/advisories/FreeBSD-SA-07%3A... , https://www.freebsd.org/security/advisories/FreeBSD-SA-14%3A... , https://www.freebsd.org/security/advisories/FreeBSD-SA-14%3A... .

Quoting from the first:

> An attacker who can cause file(1) to be run on a maliciously constructed input can cause file(1) to crash. It may be possible for such an attacker to execute arbitrary code with the privileges of the user running file(1). ...

> No workaround is available, but systems where file(1) and other libmagic(3)-using applications are never run on untrusted input are not vulnerable.

And from the third:

> There are a number of denial of service issues in the ELF parser used by file(1). ...

> An attacker who can cause file(1) or any other applications using the libmagic(3) library to be run on a maliciously constructed input can cause the application to crash or consume excessive CPU resources, resulting in a denial-of-service.

realusername11y ago

From what I remember, it's actually does quite complicated things internally. It does some heuristics on the file content based on some rule to determine the file format. You can also add new file formats this way, there is a 'magic' file you can add somewhere in /usr/share for that (I don't remember exactly where). And there is literally thousands of file types to test. Anyway, if you have ever coded in C you know what might happen with complex-byte manipulation...

pjc5011y ago

It has a history of vulnerability to maliciously constructed input files. It's often used as a validator ("is this file.jpg actually a jpg or an executable?") and/or run as root.

Sanddancer11y ago

File parsing is a pretty hard problem. Let's take for example a Microsoft .exe file. They all start with the string MZ. However, saying something is an executable file is just the start of the rabbit hole. Is it purely a DOS executable, or is it a windows PE executable? Or is it an OS/2 LE executable, or is it a wrapper around a COFF file created by DJGPP? Okay, now, we know it's a PE file. Is this PE file actually a self extracting archive file created by PKZIP? Or maybe RAR? All of those are also things which have definite headers and offsets that you have to look to, and which the file utility needs to know how to look for, and where things can quickly get complicated.

DasIch11y ago

file is indeed a pretty simple program. Why allow it to do more than it needs to?

DominikD11y ago

It's a configurable parser. Parsers tend to be the hardest thing to get right, hence bugs detected by AFL in FreeBSD's file, in SQL parser in SQLite, etc. A lot of the vulnerabilities in apps dealing with image files come down to parser being buggy. It seems simple until you actually try and implement it.

1 more reply

bandrami11y ago

http://en.wikipedia.org/wiki/Halting_problem

Welcome to the joys of parsing.

raldi11y ago

http://en.wikipedia.org/wiki/Small_matter_of_programming

2 more replies

viraptor11y ago· 3 in thread

Separation is done. 1/3 points done: https://news.ycombinator.com/item?id=9441262

I didn't realise openbsd had a seccomp equivalent, but I'm happy it does! (And it did make the news again)

bandrami11y ago

Systrace was added to the base system 10 or 11 years ago (3.6, IIRC), but there was some hesitation among some key team members to use it widely (the argument being that privilege separation utilities themselves will almost always have security problems). That ship seems to have sailed, though, in more recent years.

jquast11y ago

I think the lack of implementation was that were vulnerabilities in design that I don't think were ever resolved, it simply can't work as the only line of defense. http://undeadly.org/cgi?action=article&sid=20070809201304

It's too bad, I think system calls are a very good place to apply security policies. I think the issue is that one can modify the memory structures pointed to by a system call after it has been "approved" by systrace policy, but before the kernel acts on it. While the ownership of such data structures are in userspace, its perfectly fine to modify such regions.

It's too bad, I think its possibly the most straight-forward approach compared to SELinux or MAC

brynet11y ago

I've added support for Linux seccomp filtering to my portable tree on GitHub:

https://github.com/brynet/file

brynet11y ago· 2 in thread

Here are the other two related commits:

https://marc.info/?l=openbsd-cvs&m=143014212727213&w=2

https://marc.info/?l=openbsd-cvs&m=143014250427343&w=2

There are unfortunately a lot of people who depend on file(1); and many of them also run it as root.

Also previous HN discussion: https://news.ycombinator.com/item?id=9439778

SixSigma11y ago

then why don't they run file(1) on a private copy ?

brynet11y ago

OpenBSD has yet to successfully program human behaviour.

CJefferson11y ago· 2 in thread

How easy is privilege separation nowadays? Are there any cross-platform libraries (well, cross-unix at least)?

Most programs I write I would be happy, fairly soon after startup, to drop to "just read and write handles I've already got". It would make me feel much better about my badly written parsers!

viraptor11y ago

Cross-unix no. But pretty much every Linux distribution supports seccomp these days.

brynet11y ago

Privilege separation is achievable by using separate unprivileged users. If root is required, fork and drop root and then use something like OpenBSD's imsg(3) API to properly pass resources between the privileged parent and unprivileged child processes.

If you want to go a step further and sandbox, use setrlimit(2)/chroot(2). And if it's appropriate, use technologies like systrace(4) or Linux seccomp(2).

There are many examples of this in OpenBSD's base system, including some most people don't know about.. like tcpdump(8)

j / k navigate · click thread line to collapse

30 comments

19 comments · 4 top-level

msl0911y ago· 8 in thread

From my understanding file is a pretty simple program, why does it need to care about privilege separation?

dalke11y ago

Quoting from the first:

> No workaround is available, but systems where file(1) and other libmagic(3)-using applications are never run on untrusted input are not vulnerable.

And from the third:

> There are a number of denial of service issues in the ELF parser used by file(1). ...

realusername11y ago

pjc5011y ago

It has a history of vulnerability to maliciously constructed input files. It's often used as a validator ("is this file.jpg actually a jpg or an executable?") and/or run as root.

Sanddancer11y ago

DasIch11y ago

file is indeed a pretty simple program. Why allow it to do more than it needs to?

DominikD11y ago

1 more reply

bandrami11y ago

http://en.wikipedia.org/wiki/Halting_problem

Welcome to the joys of parsing.

raldi11y ago

http://en.wikipedia.org/wiki/Small_matter_of_programming

2 more replies

viraptor11y ago· 3 in thread

Separation is done. 1/3 points done: https://news.ycombinator.com/item?id=9441262

I didn't realise openbsd had a seccomp equivalent, but I'm happy it does! (And it did make the news again)

bandrami11y ago

jquast11y ago

It's too bad, I think its possibly the most straight-forward approach compared to SELinux or MAC

brynet11y ago

I've added support for Linux seccomp filtering to my portable tree on GitHub:

https://github.com/brynet/file

brynet11y ago· 2 in thread

Here are the other two related commits:

https://marc.info/?l=openbsd-cvs&m=143014212727213&w=2

https://marc.info/?l=openbsd-cvs&m=143014250427343&w=2

There are unfortunately a lot of people who depend on file(1); and many of them also run it as root.

Also previous HN discussion: https://news.ycombinator.com/item?id=9439778

SixSigma11y ago

then why don't they run file(1) on a private copy ?

brynet11y ago

OpenBSD has yet to successfully program human behaviour.

CJefferson11y ago· 2 in thread

How easy is privilege separation nowadays? Are there any cross-platform libraries (well, cross-unix at least)?

Most programs I write I would be happy, fairly soon after startup, to drop to "just read and write handles I've already got". It would make me feel much better about my badly written parsers!

viraptor11y ago

Cross-unix no. But pretty much every Linux distribution supports seccomp these days.

brynet11y ago

If you want to go a step further and sandbox, use setrlimit(2)/chroot(2). And if it's appropriate, use technologies like systrace(4) or Linux seccomp(2).

There are many examples of this in OpenBSD's base system, including some most people don't know about.. like tcpdump(8)

j / k navigate · click thread line to collapse