Originally posted by flower
View Post
Announcement
Collapse
No announcement yet.
Linux's modprobe Adds The Ability To Load A Module From Anywhere On The File-System
Collapse
X
-
- Likes 9
-
Not a security issue.- insmod already has this feature
- modprobe & insmod require elevated privileges to do more than list modules already inserted
- given (2), if someone already has managed elevated privileges, then restricting file reads to areas only root generally has write permissions will not save you
- if someone has executed a privilege escalation attack there's very little to prevent said someone from altering SELinux or AppArmor profiles en mass nor from dropping their compromised modules into the traditional directories for modules.
- Properly executed boot, module/driver signing, and execution chains of trust is what help prevent 2, 3, & 4 from occurring in the first place.
- Likes 17
Comment
-
Not a security expert by any means but turning it around does seem like it makes it a little easier to create security mistakes. If you somehow placed a kernel module somewhere a unprivilaged user could override it somehow. It could be a problem when the module gets loaded. Granted probably a stupid oversight but Enforcing a location keeps things a bit more contained.
Do I think we should not be allowed to do this, but it does add potential to increase the attack surface a bit.
- Likes 2
Comment
-
Originally posted by debrouxl View PostLoading kernel modules requires elevated privileges anyway, but... making it easier to load kernel modules from non-system directories, and therefore having to weaken security policies which enforce the former defaults, does not strike me as a security improvement.
It's typically the kind of things that I feel spender would lambast. Not that I can easily check for that on his Twitter feed, though, with this new brain-dead, worse than useless behaviour of Twitter displaying tweets in random order instead of chronological order...
1. All modules loaded from outside the modules directory will generate a kprintf (dmesg log) that shows module name, file location, and possibly a checksum
2. A module named the same as an existing one can't be loaded from outside the modules directory (i.e. no counterfeiting, to use a poker hand term)
3. If unsigned or if the signature doesn't match the kernel's source signature a 'taints kern' message is logged
As to the twitter thing, that's the fault of people everywhere who use twitter as a Changelog, a calendar, a news feed, a fanboi page, or an advertisement display location. While it can do those things, it doesn't do them well, and now does so much worse. Rather than expressing disappointment that twitter doesn't live up to anyone's expectations anymore (if ever) probably it would be more prudent to use more reliable trustworthy tools or sources.
I really like my Leatherman Wave. It's pretty good at lots of things. However, it is not great at any of them. That's like Twitter.
E
Comment
-
Heck OpenBSD removes loadable kernel modules entierely and here Linux is saying hey if you are root you can load this snazzy new module from your downloads directory! Seems like an easy way to shoot yourself in the foot for mid level users or users coming from windows world used to installing drivers from downloads.
- Likes 1
Comment
-
Originally posted by kylew77 View PostHeck OpenBSD removes loadable kernel modules entierely and here Linux is saying hey if you are root you can load this snazzy new module from your downloads directory! Seems like an easy way to shoot yourself in the foot for mid level users or users coming from windows world used to installing drivers from downloads.
- Likes 5
Comment
-
As an IT security professional working at a company of > 200 people, this change is completely insane, barbaric, and shortsighted. Now anyone can load their modprobes from anywhere?? Surely someone, somewhere, realized that there is security in requiring modules to exist in a tightly controlled directory with group structure and SELinux permissions.
I'm moving to MINIX. Linus will never win the unix wars.
- Likes 2
Comment
-
Originally posted by AlanTuring69 View PostAs an IT security professional working at a company of > 200 people, this change is completely insane, barbaric, and shortsighted. Now anyone can load their modprobes from anywhere?? Surely someone, somewhere, realized that there is security in requiring modules to exist in a tightly controlled directory with group structure and SELinux permissions.
I'm moving to MINIX. Linus will never win the unix wars.
- Likes 3
Comment
-
Originally posted by qlum View PostNot a security expert by any means but turning it around does seem like it makes it a little easier to create security mistakes. If you somehow placed a kernel module somewhere a unprivilaged user could override it somehow. It could be a problem when the module gets loaded. Granted probably a stupid oversight but Enforcing a location keeps things a bit more contained.
Do I think we should not be allowed to do this, but it does add potential to increase the attack surface a bit.
- Likes 6
Comment
-
I'm not saying that I disagree with this change, but:
Originally posted by stormcrow View PostNot a security issue.
insmod already has this feature
[*]Properly executed boot...
I kind of remember that someone argued that Linux allowing execve() a program when argc is 0 was a potential security risk, other thought that it was not a security issue. Years later a bug in PolicyKit's pkexec affected Linux but not OpenBSD (because its kernel refuses to execve() a program if argc is 0). So yes, a properly written pkexec would have solved the problem in the first place, but not enough of a comfort when it is not.
Comment
Comment