git: aefe30c54371 - main - cat: capsicumize it

Cy Schubert Cy.Schubert at cschubert.com
Sat Jan 16 15:10:10 UTC 2021 

In message <202101161448.10GEmuI4095908 at mail.karels.net>, Mike Karels 
writes:
> Mateusz wrote:
> > I have to strongly disagree with this change.
>
> > truss -f cat /etc/motd immediately reveals most peculiar overhead
> > which comes with it.
>
> > Some examples:
> > - pdfork is called 3 times and fork 1 time, spawning 4 processes in total
> > - the file is opened twice:
> >  5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00)  = 5 (0x5)
> >  5548: cap_rights_limit(5,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0)
> >  5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00)  = 7 (0x7)
> >  5548: cap_rights_limit(7,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0)
> > - there is an enormous number of sendto/recvfrom instead of everything
> > happening in just one go
>
> > Key points:
> > - the functionality provided by casper definitely induces way more
> > overhead than it should.
> > - regardless of the above, I find patching tools like tail and cat in
> > this manner to be highly questionable. Ultimately whatever security
> > may or may not have been gained it always have to be gauged against
> > actual impact and it does not look it is worth it in this case.
>
> > Even if someone was to put cat in capability mode, for something as
> > trivial a opening one file, cat could just do it without all the other
> > overhead and then enter the sandbox.
>
> > That said, I think this change (and possibly similar changes to other
> > tooling) should be reverted. Regardless of what happens here, casper
> > needs a lot of work before it is deemed usable.
>
> > My $0,03.
>
> I also question this change.  Using capsicum makes sense for something
> like tcpdump, which usually runs as root, uses privileged facilities,

tcpdump can drop its privileges. Various Linux distros and vendors do this. 
I have a patch in my tree that will do this.

> and interprets external data that could potentially subvert it in the
> worst case.  It also has a fairly high startup cost that can be amortized
> over its runtime.  Cat is nothing like this, so I wonder what the motivation
> was for the change.  It's not obvious to me that there is any significant
> value in capsicumizing, and there are obviously significant costs.

Agreed.

>
> 		Mike


-- 
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX:  <cy at FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy at nwtime.org>    Web:  https://nwtime.org

	The need of the many outweighs the greed of the few.


>
> > On 1/15/21, Mariusz Zaborski <oshogbo at freebsd.org> wrote:
> > > The branch main has been updated by oshogbo:
> > >
> > > URL:
> > > https://cgit.FreeBSD.org/src/commit/?id=aefe30c5437159a5399bdbc1974d6fbf4
> 0f2ba0f
> > >
> > > commit aefe30c5437159a5399bdbc1974d6fbf40f2ba0f
> > > Author:     Mariusz Zaborski <oshogbo at FreeBSD.org>
> > > AuthorDate: 2021-01-15 20:22:29 +0000
> > > Commit:     Mariusz Zaborski <oshogbo at FreeBSD.org>
> > > CommitDate: 2021-01-15 20:23:42 +0000
> > >
> > >     cat: capsicumize it
> > >
> > >     Reviewed by:    markj, arichardson
> > >     Differential Revision:  https://reviews.freebsd.org/D28083
> <snip>
>
>

More information about the dev-commits-src-all mailing list