On Do, 05.01.23 20:17, Steve Grubb (sgrubb(a)redhat.com) wrote:
Hello,
I work on RHEL security problems. I have been looking into a number of
exploits and I think we have a problem that has an easy fix. We are not using
the CONFIG_STATIC_USERMODEHELPER_PATH kernel config option. There are a number
of exploits that overwrite the path to modprobe and then pass something weird
that causes modprobe to be invoked. But instead of modprobe, it's their
reverse shell.
umh is such a problematic interface. The processes forked off that way
live in a weird netherworld besides the init system, in the root
cgroup (and that even though inner cgroups in cgroupsv2 are not
supposed to have processes in them) without any of the resource or
security restrictions we otherwise make on all of userspace. It's
stuff that runs in userspace but is entirely unmanaged by userspace
security and resource wise. (And it's also frickin slow)
I wished we could get rid of umh entirely. For example, by having some
maybe netlink based protocol or so that userspace could use to
subscribe to umh events somehow and then gets the chance to fork off
the processes itself. The init system could then hook into that and
dispatch things in proper services with sandboxing, resource controls
and everything applied, in a sensible cgroup.
Lennart
--
Lennart Poettering, Berlin