moko running everything as root

Kevin Dean kevin at foreverdean.info
Sun Jun 15 19:36:00 CEST 2008


Firstly, sorry for the blank reply. Accidentally double clicked and
"send" is in the same spot. :P

On Sat, Jun 14, 2008 at 4:25 AM, arne anka <openmoko at ginguppin.de> wrote:

> only opkg is run, not everything possible.
> logging in as root opens a world of ways to harm your data, either by
> accident or deliberately.
> expoliting suid requires a bug in the program suid'd.

I understand how and why permission seperations exist. :) What I'm
saying is that if we sit back and evaluate how this device is going to
be used in the vast majority of cases, you'll realize that unlike a
desktop or server system, the data that a non-root user can delete is
as bad, or perhaps even WORSE than destroying the system integrity
itself.

I'm not saying "we should abandon security" as a concern. But
realistically speaking, a mobile device DOES have different concerns
than a desktop or a server. Focusing on "system internals" on Openmoko
while ignoring the fact that remote users can destroy vital, NON root,
important data is just busy work.


>> User "John" running sudo rm -rf /* is better than root running "rm -rf
>> /*" because...?
>
> see above.
> you can configure which commands/programs may be run with sudo.

I understand this. Take a step back for a second and really evaluate
the device's marketed purpose though. The point of sudo and the like
are to ensure that a non-root user can't hose the system, right? A
non-root user might need to be able to install a printer so you can
give that user access to CUPS commands. In the traditional UNIX file
system, having /usr destroyed is signifigantly bigger of an issue than
having /tmp destroyed in most cases. In a network environment, you
defend the "important" stuff dearly, and accept a certain level of
risk with every little blurb you give to a non-root user.

In the mobile world, there is NOTHING more important than the user's
data. Nothing. And in the mobile world, you can impliment root priv
seperations till the cows come home, but it doesn't eliminate the fact
that the most vulnerable part of the system is being put at risk
still.

Please understand I'm not saying "Ignore security", I'm a big fan of
security. :) I'm simply trying to look at this in a way that's suited
to the use cases rather than "tradition".

>> If you want security, unprivaledges users must NOT
>> EVER be able to run privaledged commands.
>
> see above.

Perhaps I needed to make this distinction. When I said  "a user" in
this case, I don't mean "a line in /etc/passwd" but a flesh and blood
person. You running sudo some-command is "a user running a privaledged
command". Sudo is a way to allow users to have SOME of the powers of
root, while limiting them from using others. If UNIX user john has
sudo permissions to remove packages, and that UNIX account is
comprimised, it is AS bad as of root itself had a shell on the box -
the intruder on the system can hose it.


> i am not sure i understand you correctly, but for me it sounds like you
> saying user/group separation is meaningfull for servers only (and only
> because physical access can be prevented), for end user computers, laptops
> specifically, it is a waste.
> if so, you are pretty much alone with this understanding.

I'm not saying that at all. I'm quite happy that I can log in a
"kevin" and not "root" on my desktop system. I AM saying, however,
that on a mobile device the value of each chunk of the filesystem is
different than on a desktop workstation, a laptop and CERTAINLY a
server. And taking into account traditional things because they're
traditional isn't always the most suited solution to the environment.

>
> what bothers me: as far as i understand the vast majority of applications
> is ported from existing linux distributions or just recompiled -- so, why
> would one disable the user/group principle the apps obey on their native
> platform?

Because the system they obey is designed for an environment where
protection of the system is more important than protection of non-root
data.

> ubuntu for one works rather well with that wheel/sudo way and even on
> non-ubuntu systems users are able "to run a lot of root applications such
> as rdate, power off, opkg, etc." w/o beeing root all the time.

If you check the Ubuntu mailing lists back to the days of Warty you'll
see that there were people objecting to the use of sudo for the same
reason that people are calling for root/user split. Allowing a
comprimised non-root user to have access to system internals was
heresy! Objectivly speaking, no system on a public network is "secure"
- security is simply the amount of risk you're willing to take for the
sake of access. Ubuntu chose to open up the sudo risk (and as I said,
even though it's "common", it's a procedure that still spark
controversy) because, in the end, it was deemed that that amount of
risk had acceptable gains. The reason that those gains were acceptable
on a desktop and not a server is the same arguement I'm making here -
the use case puts user data (which is still at risk when controlled by
a non-root user account) closer to "the most important thing".

>
> _______________________________________________
> Openmoko community mailing list
> community at lists.openmoko.org
> http://lists.openmoko.org/mailman/listinfo/community
>




More information about the community mailing list