On 2/19/22 19:49, Boian Bonev wrote: > Hello, > > I have got a pull request [1] that implements installing iotop-c with the > NET_ADMIN capability by default and I am trying to evaluate if that is OK or > not. > > Currently iotop-c will only allow to be run as root. In case it is run as some > other user, it will advise to use sudo, or alternatively add the NET_ADMIN > capability to the binary: > > sudo setcap 'cap_net_admin+eip' <path-to>/iotop > > Obviously that will have to be redone after each update, adding some > inconvenience for admins who decide to allow that for non-root users. I have > never considered installing it suid - that would be an overkill and may > introduce security problems. I always use it as root and have never given that > too much thought, also never before did deep analyses of the consequences of > the above setcap. > > Here is a brief list of the consequences of allowing non-root users to run it > by the setcap: > > - Process IO usage will be exposed [maybe OK] > - Process list and command lines will be exposed (same as other tops) [safe] > - Re-nicing own processes to rt/* will not work [safe] > - Re-nicing non-own processes will not work [safe] > - task_delayacct sysctl toggle (Ctrl-T) will not work [safe] > - There are no other networking operations besides TASKSTATS from > NETLINK_GENERIC that would allow the unprivileged user do privileged tasks via > the higher capped binary [safe] > > As a summary it seems that accepting the PR is 99% OK, but I'd prefer to get > more opinions before doing so. > > With best regards, > b. > > [1] https://src.fedoraproject.org/rpms/iotop-c/pull-request/1 My main worry would be memory corruption vulnerabilities in C. This could be avoided if iotop was written in a memory safe language, or if it uses privilege separation so that only a small part of the code actually runs with elevated privileges. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
