Re: SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 20 Jan 2011 01:51:03 +0200, Kostas Sfakiotakis wrote:

> On 18/01/2011 06:22 ÏÎ, Tim wrote:
> 
> < snip >
> 
>>  SELinux is another of the protective measures on your system,
> 
> A small comment here , actually SELinux is an NSA invention which is
> supposed to provide extra security to your system by controlling
> everything and everyone .
> 
>>  Being root doesn't mean that you should just be allowed to do
>>  anything,
> 
> Since i started this thread , let me clarify something . All i was
> trying to do was to open a pdf file  simple as that  and i do believe
> that on my computer am pretty much entitled to do so .
> 
>>  Made all the more worse when users start running things as root that
>>  they don't really need to. Running Acrobat reader as root? Not a good
>>  idea.
> 
> Well i was logged in as root at the momment . What am i supposed to do
> ?? Logout and login back again just to run Acrobat Reader  ????? I do
> believe that would be an overkill .

<snip>

Probably would not be overkill. I don't know if the exploits have made it to
Linux yet, but  there are Windows Acrobat Reader exploits. If someone ported
those to  Linux (different payload is perhaps all it would take), then running 
acroread as root could compromise your system.

My thought is that if you need to run some extended commands as root, open a 
shell and use the command line. You'll have all of your other tools 
available as a normal user.

Here's an approach to fixing Adobe Acrobat. Your mileage may vary.

Adobe Acrobat Reader comes with at least two libraries marked as
stack executable.

Here's how to find them:

1. Find where the files are

rpm -q AdobeReader_enu-9.4.1-1.i486 --filesbypkg

Your package is probably different since I run a 32 bit system, and
you are running a 64 bit system.

2. cd to the directory (for me it's /opt/Adobe)

3. Run the following command (or something similar)

find . -name \*.so -exec execstack -q {} \;

This basically finds all the .so files (normally links to shared
libraries), and queries the execstack state.

The problem:

You're looking for libraries that have execstack turned on. Here are some
examples:

X ./Reader9/Reader/intellinux/lib/libsccore.so
X ./Reader9/Reader/intellinux/lib/libcrypto.so

The fix:

1. Find the actual file that these (potential) soft links are linked to:

cd /opt/Adobe/Reader9/Reader/intellinux/lib
ls -l libsccore.so
-rwxr-xr-x. 1 root root 722824 Nov  8 05:48 libsccore.so
ls -l libcrypto.so
lrwxrwxrwx. 1 root root 14 Nov 30 17:05 libcrypto.so -> libcrypto.so.0

This turns out to be another link:

ls -l libcrypto.so.0
lrwxrwxrwx. 1 root root 18 Nov 30 17:05 libcrypto.so.0 -> libcrypto.so.0.9.8

2. Change to root, and create a diary entry. You do document changes
to your system, right?

01/19/2011 20:40
  cleared execstack /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so
  cleared execstack /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8

3. clear the execstack with:

execstack -c /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so
execstack -c /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8

4. Exit root

Now test the results. If there's a problem, then you'll have to
revert the changes.

To revert the changes, do the following.

1. Change to root and make a diary entry. Don't just delete the
previous, since it's good to know what you've tried especially when
it didn't work.

01/19/2011 20:45
 acroread failed to work after clearing execstack.
 set execstack on /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so
 set execstack on /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8

2. Set execstack back with:

execstack -s /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so
execstack -s /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8

Unfortunately this will create problems with SELinux (again).
Hopefully you won't have to reset execstack on these shared libraries.

Report the Bug

In any case, a bug should be filed with Adobe for each
execstack-enabled library that is found.

Hope this helps.

. . . . just my two cents.

/mde/

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux