Friday, March 2, 2012

UID Nobody and Mandatory Integrity Control

"Those who don't understand UNIX are condemned to reinvent it, poorly." -- Henry Spencer


The concept of nobody originates from Sun Microsystems and their work developing NFS. The uid was intended to represent an unmapped filesystem user with no special access (referred to as uid -2 in the original NFS RFC, but later explicitly named nobody). The plan was to prevent local privileged users from bypassing uid checks on remote shares, but the idea of a general purpose unprivileged user account appealed to many administrators and it's use expanded.

Sun embraced this idea, and Solaris still documents uid nobody as "Assigned to users or software processes that do not need nor should have any special permissions.".

The Solaris administration guide continues,
"The nobody user account is also assigned to software processes that do not need nor should have any special permissions. Some daemons, such as fingerd, run as nobody. If in.tftpd is enabled, it will run as the user nobody."


While motivated by well-meaning administrators, these organic changes were poorly thought out. The problem with this model is that by making these critical processes all the same unprivileged user, that user has ironically become one of the most privileged on the system. This unfortunate result is simply because nobody now has permission to interfere with the most critical processes on the system (via signals, temporary files, ptrace, and so on). The processes intended to be isolated for security, such as software installation and critical system daemons, are now all as vulnerable as the weakest link.

This is bad news. If your mailer daemon, name daemon and http daemon are running as the same uid, then a trivial cgi mistake means an attacker can read everyone's mail - the exact opposite of the isolation and compartmentalization that was intended. A better solution quickly presented itself: assign a unique UID to each daemon you would like to compartmentalize. With this improvement, a compromise of that daemon can no longer interfere with the operation of any other service.

The unique uid solution is used in most modern UNIX-like systems. Your sshd, sendmail, postgres, apache, bind, etc. all get their own user, hopefully compartmentalizing any potential compromise. In my opinion, this system is quite elegant.

Mandatory Integrity Control (Integrity Levels and UIPI) in Windows.



It occurs to me that Integrity Levels and UIPI are very similar to these antiquated (discredited?) privilege separation ideas from UNIX. Their growing use among important software (office software, web browsers, etc) is making "Low" integrity level a pretty exciting place to execute code, similar to the old concept of uid nobody.

Malware enthusiasts appear happy that we can prevent persistence across reboots for low integrity processes, which indeed is quite difficult if implemented correctly. However, it only takes one vendor using Integrity Levels incorrectly to break this assumption. Ironically, the first vendor I noticed defeating this property was Sun, the inventor of uid nobody. Their crime is storing Java patch executables in directories writable by Low processes, but I'm sure they won't be the only offender.

Still, I'm not sure I understand the "persistence" obsession. Nobody also had this property of being unable to persist across reboot, but it turns out attackers are quite happy to have ephemeral access to all your data. Frankly, if an attacker had access to all of my data, but I'm told not to worry because he can't persist across a reboot, this would be little consolation.

In conclusion, I'm not a fan of the design of MIC in modern Windows systems, I think a modern-UNIX-like solution, rather than an antiquated-UNIX-like-solution would be preferable.

I like the design of the Chrome sandbox in this regard, which effectively emulates these nice properties. I'm specifically talking about the Windows sandbox, I'm not such a big fan of the Linux or Mac sandboxes, although they do have some redeeming features lacking in Windows. The primary redeeming feature of the Linux sandbox is that it effectively reduces the kernel attack surface exposed to compromised renderers, but at the expense of a very inelegant design.

The good news is that my awesome friend Will Drewry is working on fixing that.

30 comments:

Unknown said...

I guess the thought behind appcontainer is to avoid this problem you point out. Each appcontainer has its own security identity.

Priya Anand said...

Really nice post. Unix is a multiuser and multi tasking operating system at the same time. Unix Training in Chennai offering real time Unix course at reasonable cost.

Arun Devi said...

Really tolerable post.i will be learning about for lot of information..

Informatica Training in Chennai

jackpeppin said...

Windows characterizes four respectability levels: low, medium, high, and framework. Standard clients get medium, hoisted clients get high. Forms you begin and objects you make get your respectability level or low if the executable record's level is low; framework administrations get framework uprightness. selenium Training in Bangalore |
Oracle Training in Bangalore

Glory Godwin said...

Its really informative post.I learn lot by using your site.Thanks for sharing..!

dot net training in chennai | Ccna Training in Chennai

sss said...

Really nice post.Informatica is such a course that requires learning the technological features of the product. visit our site for more details informatica online training in hyderabad

Amirtha rao said...

I have read your blog, it was good to read & I am getting some useful info's through your blog keep sharing... Informatica is an ETL tools helps to transform your old business leads into new vision. Learn informatica training in Chennai from corporate professionals with very good experience in informatica tool.
Regards,
Informatica training in chennai|Best Informatica Training In Chennai

Roshini RS said...

It’s too informative blog and I am getting conglomerations of info’s. Thanks for sharing; I would like to see your updates regularly so keep blogging. If anyone looking ccna just get here
ccna course in Chennai|ccna training in Chennai|ccna training institute in Chennai

Rose Angel said...

find the information you need. For all your web design and graphic design requirements in telephony applications

Chinni Bocha said...

nice post..
]
SEO training in hyderabad by experts in digital markeing And by prosessional experts in seo.All the training by placement and also guide by the professionals.SEO training in hyderabad

Chinni Bocha said...

nice sharing..

SEO training in hyderabad by experts in digital markeing And by prosessional experts in seo.All the training by placement and also guide by the professionals.SEO training in hyderabad

Rakesh S said...

Thanku for sharing this excellent posts..
Informatica training, in the recent times has acquired a wide scope of popularity amongst the youngsters at the forefront of their career.
Informatica online training in hyderabad


Rakesh S said...

valuyable information..
Hadoop training in hyderabad.All the basic and get the full knowledge of hadoop.
hadoop training in hyderabad



Balarishi said...

Great post. I like your post. Keep sharing such a useful post.

Android Training Institute in Chennai

Rakesh S said...

Thanku for sharing this excelent posts..
Hadoop online training in hyderabad.All the basic and get the full knowledge of hadoop.
hadoop online training in hyderbad


Raja B said...

Great job and keep blogging and hadoop is the best online training course in hyderabad
for more details refer through the link hadoop online training

Priya R said...

Excellent post!!!. The strategy you have posted on this technology helped me to get into the next level and had lot of information in it.
cloud computing training in chennai | cloud computing courses in chennai

Anu Sri said...

Excellent post! keep sharing such a informative post.

web design training institute in Chennai

sarkarinaukri said...

Surely, i don't know what i can say for this post. Because, it's totally impressed me. I am very happy to visit this blog.
Global training bangalore

Priya R said...

Updating with the latest technology and implementing it is the only way to survive in our niche. Thanks for making me this article. You have done a great job by sharing this content in here. Keep writing article like this.
Angularjs training in chennai | Angularjs course in Chennai

fashion said...

Nice post for sms plugin .Visit my blogwp sms

for IT the said...

I have read your blog its very attractive and impressive. I like it your blog.

Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai

Java Online Training Java Online Training Core Java 8 Training in Chennai Core java 8 online training JavaEE Training in Chennai Java EE Training in Chennai

for IT the said...

Java Online Training Java Online Training Java Online Training Java Online Training Java Online Training Java Online Training

Hibernate Online Training Hibernate Online Training Spring Online Training Spring Online Training Spring Batch Training Online Spring Batch Training Online

for IT the said...

Java Training Institutes Java Training Institutes Java EE Training in Chennai Java EE Training in Chennai Java Spring Hibernate Training Institutes in Chennai J2EE Training Institutes in Chennai J2EE Training Institutes in Chennai Core Java Training Institutes in Chennai Core Java Training Institutes in Chennai

for IT the said...

Java Training Institutes Java Training Institutes Java Training in Chennai | Java Training in Chennai | Dot Net Training in Chennai JavaScript Training in CHennai JavaScript Training in CHennai | | Single Page Application Development

subbu said...

I am wondering how I might be notified when a new post has been made.

sap abap online training

Jones Sathya said...

Thanks for posting this useful content, Good to know about new things here, Let me share this,
AngularJS Training in Chennai | AngularJS Training | Best AngularJS Training Institute in Chennai

vinayangadi said...


Nice Post
Thanks for giving such useful information about Java,

Digital marketing training in Bangalore

Abigail Gonzalez said...

What's up, tidy online site you've gotten right now!

cheap ed

Gopi said...

Good Information. Really it will be useful for many peoples.
Selenium training in Chennai | Best Selenium training institute in Chennai