Date: Sun, 17 Jan 2021 01:03:25 +0100 From: Mariusz Zaborski <oshogbo@freebsd.org> To: Cy Schubert <Cy.Schubert@cschubert.com> Cc: mike@karels.net, Mateusz Guzik <mjguzik@gmail.com>, src-committers <src-committers@freebsd.org>, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org, Mark Johnston <markj@freebsd.org>, Alex Richardson <arichardson@freebsd.org> Subject: Re: git: aefe30c54371 - main - cat: capsicumize it Message-ID: <CAGOYWV9XGdb6Ey=GXWYnxXQnizKds0mMPKKMMhZnxhhCPzAhbQ@mail.gmail.com> In-Reply-To: <202101161510.10GF9xON022324@slippy.cwsent.com> References: <202101161448.10GEmuI4095908@mail.karels.net> <202101161510.10GF9xON022324@slippy.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you for raising your concerns. We discussed that, and for now,
we will disable sandboxing in the cat. We will try to measure where
the bottlenecks are and try to address them.
We should try to sandbox even as simple tools like cat or tail, but not for any
cost. If we have a high cost, we may explore other ways of doing it.
On Sat, 16 Jan 2021 at 16:10, Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>
> In message <202101161448.10GEmuI4095908@mail.karels.net>, Mike Karels
> writes:
> > Mateusz wrote:
> > > I have to strongly disagree with this change.
> >
> > > truss -f cat /etc/motd immediately reveals most peculiar overhead
> > > which comes with it.
> >
> > > Some examples:
> > > - pdfork is called 3 times and fork 1 time, spawning 4 processes in total
> > > - the file is opened twice:
> > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) = 5 (0x5)
> > > 5548: cap_rights_limit(5,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0)
> > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) = 7 (0x7)
> > > 5548: cap_rights_limit(7,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0)
> > > - there is an enormous number of sendto/recvfrom instead of everything
> > > happening in just one go
> >
> > > Key points:
> > > - the functionality provided by casper definitely induces way more
> > > overhead than it should.
> > > - regardless of the above, I find patching tools like tail and cat in
> > > this manner to be highly questionable. Ultimately whatever security
> > > may or may not have been gained it always have to be gauged against
> > > actual impact and it does not look it is worth it in this case.
> >
> > > Even if someone was to put cat in capability mode, for something as
> > > trivial a opening one file, cat could just do it without all the other
> > > overhead and then enter the sandbox.
> >
> > > That said, I think this change (and possibly similar changes to other
> > > tooling) should be reverted. Regardless of what happens here, casper
> > > needs a lot of work before it is deemed usable.
> >
> > > My $0,03.
> >
> > I also question this change. Using capsicum makes sense for something
> > like tcpdump, which usually runs as root, uses privileged facilities,
>
> tcpdump can drop its privileges. Various Linux distros and vendors do this.
> I have a patch in my tree that will do this.
>
> > and interprets external data that could potentially subvert it in the
> > worst case. It also has a fairly high startup cost that can be amortized
> > over its runtime. Cat is nothing like this, so I wonder what the motivation
> > was for the change. It's not obvious to me that there is any significant
> > value in capsicumizing, and there are obviously significant costs.
>
> Agreed.
>
> >
> > Mike
>
>
> --
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> NTP: <cy@nwtime.org> Web: https://nwtime.org
>
> The need of the many outweighs the greed of the few.
>
>
> >
> > > On 1/15/21, Mariusz Zaborski <oshogbo@freebsd.org> wrote:
> > > > The branch main has been updated by oshogbo:
> > > >
> > > > URL:
> > > > https://cgit.FreeBSD.org/src/commit/?id=aefe30c5437159a5399bdbc1974d6fbf4
> > 0f2ba0f
> > > >
> > > > commit aefe30c5437159a5399bdbc1974d6fbf40f2ba0f
> > > > Author: Mariusz Zaborski <oshogbo@FreeBSD.org>
> > > > AuthorDate: 2021-01-15 20:22:29 +0000
> > > > Commit: Mariusz Zaborski <oshogbo@FreeBSD.org>
> > > > CommitDate: 2021-01-15 20:23:42 +0000
> > > >
> > > > cat: capsicumize it
> > > >
> > > > Reviewed by: markj, arichardson
> > > > Differential Revision: https://reviews.freebsd.org/D28083
> > <snip>
> >
> >
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGOYWV9XGdb6Ey=GXWYnxXQnizKds0mMPKKMMhZnxhhCPzAhbQ>