[gentoo-dev] chroot USE flag?

[gentoo-dev] chroot USE flag?

[Brandon Hale]

I propose a new USE flag for a few key services that would install the
package in a chroot "out of the box." This idea was inspired by a
conversation between Greg Fitzgerald (gregf) and myself on applying
ideas from OpenBSD to Gentoo. Another source of inspiration is the
excelent pkg_config code in the latest bind9 ebuilds. I further
discussed this idea w/ memebers of the gentoo-hardened team and further
crystalized the workings of such a flag. I would propose that the ebuild
include two conditional install proceedures keyed on the chroot USE
flag. The only possible problem I forsee is building devices inside the
sandbox, which could be accomplished in pkg_postinstall as a last
resort. I would be happy for any feedback or further development of this
idea.

Brandon Hale



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] chroot USE flag?

[Alvaro Figueroa Cabezas]

On Jul 18 01:15, Brandon Hale wrote:
> I propose a new USE flag for a few key services that would install the
> package in a chroot "out of the box." 

> I further discussed this idea w/ memebers of the gentoo-hardened team

Well, it the idea is to harden boxes, this chroot flag should
apply to every service thinkable... (And this is a _lot_ of work)

But is the idea is to really harden boxes, chroots should be forgoten,
and capabilities applied :).

-- 
Alvaro Figueroa


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] chroot USE flag?

[Brandon Hale]

On Thu, 2003-07-17 at 08:52, Alvaro Figueroa Cabezas wrote:
> On Jul 18 01:15, Brandon Hale wrote:
> > I propose a new USE flag for a few key services that would install the
> > package in a chroot "out of the box." 
> 
> > I further discussed this idea w/ memebers of the gentoo-hardened team
> 
> Well, it the idea is to harden boxes, this chroot flag should
> apply to every service thinkable... (And this is a _lot_ of work)
> 
> But is the idea is to really harden boxes, chroots should be forgoten,
> and capabilities applied :).



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] chroot USE flag?

[Brandon Hale]

On Thu, 2003-07-17 at 08:52, Alvaro Figueroa Cabezas wrote:

> Well, it the idea is to harden boxes, this chroot flag should
> apply to every service thinkable... (And this is a _lot_ of work)

I can't argue with that, but the initial goal would be to harden a few
commonly used or notoriously insecure services. These include bind, ntpd
and apache to name a few. I am currently working with the bind ebuild to
adapt the chroot code to respect USE="chroot."

> But is the idea is to really harden boxes, chroots should be forgoten,
> and capabilities applied :).

I'm not sure what you mean by capabilities, but I received a similar
argument concerning SE Linux, whose superior security model negates the
usefulness of chroot'ing a service.  However, SE Linux is currently
difficult to implement effectively and not a feasible choice for the
average sysadmin. Chroot'ing key services could be nicely complemented
by grsec's chroot hardening, and provide what I believe to be a workable
solution to increase security in Gentoo.




--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] chroot USE flag?

[Ned Ludd]

On Fri, 2003-07-18 at 02:54, Brandon Hale wrote:
> On Thu, 2003-07-17 at 08:52, Alvaro Figueroa Cabezas wrote:
> 
> > Well, it the idea is to harden boxes, this chroot flag should
> > apply to every service thinkable... (And this is a _lot_ of work)

Its not that bad really and has many usefull uses outside of security
enviroments alone.

> I can't argue with that, but the initial goal would be to harden a few
> commonly used or notoriously insecure services. These include bind, ntpd
> and apache to name a few. I am currently working with the bind ebuild to
> adapt the chroot code to respect USE="chroot."

I will support this flag and will help out where I can, perhaps adopting
a script I've been using myself to chroot services on gentoo as an
eclass http://dev.gentoo.org/~solar/gentoo.mkchroot. Then I/we should be
able to take the acls generated from grsec in learning mode to create
runtime package profiles which could be used to tell us what exactly
needs be in our chroot jail.

On another note I will be happy to pay the first person who codes
sys_jail() for linux as a kernel patch 2 magic beans and a pocket full
lint.

> 
> > But is the idea is to really harden boxes, chroots should be forgoten,
> > and capabilities applied :).
> 
> I'm not sure what you mean by capabilities, but I received a similar
> argument concerning SE Linux, whose superior security model negates the
> usefulness of chroot'ing a service.  However, SE Linux is currently
> difficult to implement effectively and not a feasible choice for the
> average sysadmin. Chroot'ing key services could be nicely complemented
> by grsec's chroot hardening, and provide what I believe to be a workable
> solution to increase security in Gentoo.
> 

Capabilities are basicly a repartition of roots permissions. Here is the
basic list of them
http://www.gentoo.org/proj/en/hardened/capabilities.xml


> 
> 
> --
> gentoo-dev@gentoo.org mailing list
-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer (Hardened)


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] chroot USE flag?

[Toby Dickenson]

On Friday 18 July 2003 07:54, Brandon Hale wrote:

>  I received a similar
> argument concerning SE Linux, whose superior security model negates the
> usefulness of chroot'ing a service.  However, SE Linux is currently
> difficult to implement effectively and not a feasible choice for the
> average sysadmin.

I have recently adopted systrace as a "better chroot". I find it is easier to 
set up a new service under systrace than both chroot and selinux. Unlike 
chroot, it is easy to disable systrace briefly if you suspect the security 
hardening may be causing a problem.

Another advantage is that systrace is available to non-root users. That makes 
it easier to prototype policies.



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] chroot USE flag?

[Alvaro Figueroa Cabezas]

Without having read a lot of systrace... I'm gonna risk and answer.

On Jul 18 07:43, Toby Dickenson wrote:

> I have recently adopted systrace as a "better chroot". I find it is easier to 
> set up a new service under systrace than both chroot and selinux. Unlike 
> chroot, it is easy to disable systrace briefly if you suspect the security 
> hardening may be causing a problem.

I found systrace and chroot as tools for diferent porpuses, not that one
can replace the other. By creating a chroot you are preemtively cutting
down the amount of damage a user can do if it passes down the security
of the application. I still need to break out of the chroot.

People has the idea that chroots are imposible to break out of. I know
that some of the guys in my LUG have succesfully (kinda like) gotten of
of it by inserting into the broken application, enough code to create a
device (as in mknod) and to mount that device inside the chroot.

By using capabilities (go out and fetch a 2.6 kernel!), the whole
concept of an all migthy root is obsoleted. You create a user with has
certain capabilities to do things, and that is all.

But hey, lets keep the discussion out of the thread on the dev mailing
list. I hope that this small enlightenment/clarification won't upset
anyone.

-- 
Alvaro Figueroa


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] chroot USE flag?

[Matt Rickard]

On 18 Jul 2003 01:15:00 -0400
Brandon Hale <brandon@comp-u-tek.com> wrote:
> I propose a new USE flag for a few key services that would install the
> package in a chroot "out of the box." This idea was inspired by a
> conversation between Greg Fitzgerald (gregf) and myself on applying
> ideas from OpenBSD to Gentoo. Another source of inspiration is the
> excelent pkg_config code in the latest bind9 ebuilds. I further
> discussed this idea w/ memebers of the gentoo-hardened team and
> further crystalized the workings of such a flag. I would propose that
> the ebuild include two conditional install proceedures keyed on the
> chroot USE flag. The only possible problem I forsee is building
> devices inside the sandbox, which could be accomplished in
> pkg_postinstall as a last resort. I would be happy for any feedback or
> further development of this idea.

I think this is a good idea.  A chroot USE flag would allow daemons to
be chrooted transparently without users having to manually ebuild
config.  Chroot building could be done in the sandbox, and as Brandon
mentioned, we could create the device files with pkg_postinst.  These
could be removed with pkg_postrm explicitly.

Eventually I would like to see this USE flag apply to more daemons than
just bind.  I don't know which other packages in portage currently have
chrooting options (anyone help me out here?), but I'd at least like to
see this for ntpd and apache to start.

--
Matt Rickard
frogger@gentoo.org

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] chroot USE flag?

[Christian Axelsson]

[-- Attachment #1: Type: text/plain, Size: 1993 bytes --]

On Fri, 2003-07-18 at 02:49, Matt Rickard wrote:
> On 18 Jul 2003 01:15:00 -0400
> Brandon Hale <brandon@comp-u-tek.com> wrote:
> > I propose a new USE flag for a few key services that would install the
> > package in a chroot "out of the box." This idea was inspired by a
> > conversation between Greg Fitzgerald (gregf) and myself on applying
> > ideas from OpenBSD to Gentoo. Another source of inspiration is the
> > excelent pkg_config code in the latest bind9 ebuilds. I further
> > discussed this idea w/ memebers of the gentoo-hardened team and
> > further crystalized the workings of such a flag. I would propose that
> > the ebuild include two conditional install proceedures keyed on the
> > chroot USE flag. The only possible problem I forsee is building
> > devices inside the sandbox, which could be accomplished in
> > pkg_postinstall as a last resort. I would be happy for any feedback or
> > further development of this idea.
> 
> I think this is a good idea.  A chroot USE flag would allow daemons to
> be chrooted transparently without users having to manually ebuild
> config.  Chroot building could be done in the sandbox, and as Brandon
> mentioned, we could create the device files with pkg_postinst.  These
> could be removed with pkg_postrm explicitly.
> 
> Eventually I would like to see this USE flag apply to more daemons than
> just bind.  I don't know which other packages in portage currently have
> chrooting options (anyone help me out here?), but I'd at least like to
> see this for ntpd and apache to start.

PowerDNS is another, apache can run chrooted (but you loose a few
features, but on a production server those shouldnt be very important).
I bet there are many we-run-as-root servers out there that fairly easy
can be chrooted (actually in theory you can chroot almost all services).

I propose yes to this aswell.

-- 
Christan Axelsson 
  smiler@lanil.mine.nu

GPG key ID
  6C3C55D9 @ ldap://keyserver.pgp.com

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]