Re: Perforce client: security hole by design

Ben Bucksch wrote:
= Abstract =

The Perforce client has a huge gapping security hole by design. It
totally trusts the Perforce server and does whatever the server tells
it, writing arbitrary files.
Eww :)

= Risk =

Critical. The server has full access to *all* files that *any* of its
users has.

"We can trust the server" is not an appropriate answer:

* I am a contractor and have access to many companies' sources, and
I do *not* allow any company I work for to have full access to all
files on my computer, including the source of the all other
companies I work for and even personal files.
You could use any of the security policy systems (AppArmor, SELinux,
LIDS, etc.) to confine the client to be only able to access the files
you want it to have access to. I would argue that AppArmor is the
easiest tool to achieve that (but I'm biased) as it directly supports a
policy model of "this program gets to access these pathnames" e.g.
here's the confinement profile for ntpd:

/usr/sbin/ntpd {
#include <abstractions/base>
#include <abstractions/nameservice>

capability ipc_lock,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
capability sys_time,

/drift/ntp.drift rwl,
/drift/ntp.drift.TEMP rwl,
/etc/ntp.conf r,
/etc/ntp/drift* rwl,
/etc/ntp/keys r,
/etc/ntp/step-tickers r,
/tmp/ntp* rwl,
/usr/sbin/ntpd rmix,
/var/lib/ntp/etc/ntp.conf.iburst r,
/var/lib/ntp/drift rwl,
/var/lib/ntp/drift.TEMP rwl,
/var/lib/ntp/drift/ntp.drift r,
/var/lib/ntp/var/run/ntp/ntpd.pid w,
/var/log/ntp w,
/var/log/ntp.log w,
/var/run/ntpd.pid w,
}

AppArmor will also let you change the policy for a running process on
the fly, so you could edit the file and push the policy-reload button as
you move between one work site and another without even having to
restart your Perforce client. AppArmor is GPL and available for SUSE,
Slackware, Ubuntu, and Gentoo.

* Also, there are many ways to fool DNS, so that your client goes to
another, hostile server.
* And, lastly, a server is not 100% bulletproof either.
Agreed. An agent that totally trusts a remote computer is dangerous, and
you shouldn't do that unless absolutely necessary.

Crispin

--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Hacking is exploiting the gap between "intent" and "implementation"

Relevant Pages

  • Re: "Random" number generation (reprise)
    ... the problem comes when the capability has to be ... E.g., a client connects to a server (because, somehow, it is allowed to ... If the act of configuration requires physical access to the devices ...
    (comp.arch.embedded)
  • Re: "Random" number generation (reprise)
    ... The client asks for a capability to be created. ... The server tracks the permissions and binds ... Your take on kernel capabilities unquestionably would work among ...
    (comp.arch.embedded)
  • Re: "Random" number generation (reprise)
    ... The client asks for a capability to be created. ... The server tracks the permissions and binds ... resides in the kernel). ...
    (comp.arch.embedded)
  • Re: remote access logging
    ... That capability has been added to Windows 2003. ... possibly you may want to install a software firewall on that server and use it for ... > We have a remote access server that someone's computer ... > program is connecting to and attempting to log into using ...
    (microsoft.public.win2000.security)
  • Perfoce client only
    ... Is there a way to install the Perforce client only? ... We don't need the server, ... standalone client. ... And yes, command-line version ...
    (freebsd-questions)