From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L54e2-0000dn-Gs for garchives@archives.gentoo.org; Tue, 25 Nov 2008 20:36:26 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CDA71E05FC; Tue, 25 Nov 2008 20:36:25 +0000 (UTC) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.191]) by pigeon.gentoo.org (Postfix) with ESMTP id 8CBCEE05FC for ; Tue, 25 Nov 2008 20:36:25 +0000 (UTC) Received: by gv-out-0910.google.com with SMTP id n8so78924gve.39 for ; Tue, 25 Nov 2008 12:36:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=fAIcBGSd/9a/Mi0/deu6g9XVWYEDRkbcIPqj4ackYJo=; b=bqw3HhM7/yeloO6M/ra403Y2c7Xae8m/urfabaFo1nJol0ikuUxYCswBmBL3lUIwam 79VjZkJEELtmeXt2O6fmG6CLpgs1aov1iZqAB2Fiha3kfuaVbgtgOCDs5iPli0M/EvFG KuV+kIuL3vt6KBkfQGaK4FsaAZQnN5YoWTA74= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=DCtRuiADkAfkJwE/Lngh5Ht+SZLr+p4Frohjd2MQ+0RVwYCzqZfL2unIlTVtR0RgrU MYCvy68OykpY0ZhSKn4mnJHBdfEc1SWcl6QxZTsiKR2nalf3gVEfXWscZmMJFNkSGn4j SKauWGv8E6FcpUKbKOAbH78CbYuZdlNriJ9T4= Received: by 10.103.131.18 with SMTP id i18mr1779256mun.120.1227645382991; Tue, 25 Nov 2008 12:36:22 -0800 (PST) Received: by 10.103.239.6 with HTTP; Tue, 25 Nov 2008 12:36:22 -0800 (PST) Message-ID: <897813410811251236o33ba4f18ne8cf71c873c6db4d@mail.gmail.com> Date: Tue, 25 Nov 2008 21:36:22 +0100 From: "=?ISO-8859-1?Q?Javier_Mart=EDnez?=" To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] hardened workstation - is that worth it? In-Reply-To: <4255c2570811251158n28f3274ch34e87a1a3f1eacb6@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200811251700.45540.janklodvan@gmail.com> <4255c2570811251158n28f3274ch34e87a1a3f1eacb6@mail.gmail.com> X-Archives-Salt: a28e3489-51d3-40f9-a2e7-525465fab4bf X-Archives-Hash: 86a6b3207acc2f6e741bdba2fbe4efe5 He always could keep running X-window and his window manager (both) in a chrooted environment, he just protect extremely /dev/mem. Maybe he would not need /proc filesystem. If security is important why don't keep running the Xserver isolated (in a virtualbox for example and hardened with rsbac) and remote users get logged in with xnest through a ssl tunnel?. With those you get your untrusted users isolated from main system. In my opinion getting X-window running is bad in security concerns, by this reasons: - First: PaX should be disable in mprotect terms since Xorg needs it (with it refuse to run) . - Second: Access to /dev/mem have to be granted and get in mind that CAP_SYS_RAWIO capability (between others) too, for this reason, one bug in Xserver will give all control to the attacker (and keep in mind that with access to /dev/mem all Selinux, rsbac and grsecurity policies are wasted efforts). Since mprotect protections have to be disabled pax could not protect you. - Third: You must assure the access to the display, to make a keylogger in x-window is easy if there is posibility to connect untrusted clients to it. 2008/11/25 RB : > On Tue, Nov 25, 2008 at 08:00, Jan Klod wrote: >> Suppose, I want to take some extra precautions and set up PaX&co and MAC on a >> workstation with Xorg and other nice KDE apps (only some of which should be >> granted access to files in folder X). I would like to read others opinion, if >> I can get considerable security improvements or I will have to make that much >> of exceptions to those good rules, as it makes protection too useless? > > KDE (and to a lesser extent X) pretty much nullifies most application > isolation efforts you're going to make. Even if you ran each > application under a dedicated user and in its own chroot environment, > the GUI provides IPC facilites that will readily bypass all your hard > effort. As with your other email, clicking a link in one app opens a > browser window in another, regardless of what user separation you > might have - KDE does this under the covers, since it's what most > users would actually want, but you perceive it as a security breach.