From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L57Fo-0007SY-Ud for garchives@archives.gentoo.org; Tue, 25 Nov 2008 23:23:37 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0C4DAE03EA; Tue, 25 Nov 2008 23:23:36 +0000 (UTC) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by pigeon.gentoo.org (Postfix) with ESMTP id A5464E03EA for ; Tue, 25 Nov 2008 23:23:35 +0000 (UTC) Received: by nf-out-0910.google.com with SMTP id c7so118690nfi.26 for ; Tue, 25 Nov 2008 15:23:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=m88O59KI9ceflM+foPERjItsEvB/PEwfoBIbjtml5aY=; b=WX/4weexAy2REiemTmqL0XpyedMuD+CI5ztAGjd1KQ5WM0VgLHEqGzpXnM7G/rnpL8 YF6fBxAtvPgQvRRgm29QRE19MLNTEOjR06wvf3tkYwPHv9JNGjguItyHdJ0NEbSq+oE5 tsxHTTd7HlxtU5niEfup63a/ey4OxCm6y2oH0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=Kpd7Qh0ZnLehaaW+6q4LWYos198PJ3jtxEItVuDg7tWfWNEumYsHDwIE/wzNhNuK4g ytmvXsKeY1gyGUDXRL0ohgrQr9cxFflyld9dZKrNqw8Qkv+RP9L7bFderw9LUqiB2knR QjT+U36RA7z2AG/Ir3AsQbtAmEzEnchCuy5Yw= Received: by 10.103.40.5 with SMTP id s5mr1838989muj.93.1227655413054; Tue, 25 Nov 2008 15:23:33 -0800 (PST) Received: by 10.103.239.6 with HTTP; Tue, 25 Nov 2008 15:23:33 -0800 (PST) Message-ID: <897813410811251523s1dd72950v4c3af0f189d9bd4@mail.gmail.com> Date: Wed, 26 Nov 2008 00:23:33 +0100 From: "=?ISO-8859-1?Q?Javier_Mart=EDnez?=" To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] hardened workstation - is that worth it? In-Reply-To: <200811252158.06957.janklodvan@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200811251700.45540.janklodvan@gmail.com> <4255c2570811251158n28f3274ch34e87a1a3f1eacb6@mail.gmail.com> <200811252158.06957.janklodvan@gmail.com> X-Archives-Salt: 4deb3c3f-e717-42b5-8057-f62d88c193a6 X-Archives-Hash: a1914783d513adaa4c423dd072ca47de Why are the bit root-suid applications a risk in the point of view of security? The X server is a root-setuid binary that can't be assured from the point of view of posix capabilities for example, the reason is clear one process that has only CAP_SYS_RAWIO capability could make raw writing in /dev/mem!!!. Before the filesystem capabilities one process with only CAP_SYS_RAWIO and the others restricted could add all others capabilities missing by simply searching the cap_bset in their system.map and writting 0xFFFFFEFF in it through /dev/mem. With this hack he has CAP_SYS_SUID CAP_SYS_SGID, CAP_DAC_OVERRIDE etc..., now with the filesystem capabilities probably you could do the same by writting in the task_struct of the process. Xorg is worst than a normal setuid program, ping for example could be assured granting only CAP_NET_RAW, with this privilege ping can't own the rest of the system. Xorg can't be assured, it needs CAP_SYS_RAWIO and CAP_DAC_OVERRIDE between others, enough to write /dev/mem). Xorg adds one level of complexity unaceptable from a security view point, it's something like sendmail, how could you make sendmail more secure?, rewritting it from 0!!!! Xorg was not designed to be secure, only to networking. Patches has been added (as xace extensions) to make it a bit more secure, but it stills insecure (if you dress a monkey to be saw as a human, it stills being monkey!!). Xorg mmaps video memory through /dev/mem and I think that the way it does it is which make it incompatible with PaX mprotect restrictions (pax author could tell you more), so is a problem of Xorg, not PaX does simply does his job kill Xorg. Complexity and security are enemies, and if complexity is added to a bad design then switch off. In my opinion having 3 or 300 holes is irrelevant from a security view point, with only one is enough!. Any programmer with a bit of known of assembly could make exploits, and as phrack made in one of his articles, one great programmer with deep knowledge of memory management and PaX could even defeat it. 2008/11/25 Jan Klod : > On Tuesday 25 November 2008 19:58:42 RB wrote: >> KDE (and to a lesser extent X) pretty much nullifies most application >> isolation efforts you're going to make. > > Actually, that sound like there is practically no way to keep networked > workstation really secure. Sure, is not trivial to gain root access through > software bugs (interesting, how many list member would be able to do it?), > but no one running X can claim, he has absolutely secure system, which can't > fail him regardless to who is the hacker. > Furthermore, the system is said to be only as secure as the weakest part, so > making hardened server will only slow down attacks and, at most, ensure > server stability. Still, if there is someone ready to attack servers end > clients (which ones will almost always have X running), the way can be open. > > Can someone explain how would it happen, the exploitation of buffer overflow > in X? How would attacker gain access to X bug most importantly? What are > those ways for other apps? Always different? > And have there been any efforts to make PaX enabled X? > > Personally, I think, the best way would be using firewall to allow only the > most necessary addresses, which point to trusted services (mail,sftp,...). > That said, web browsing is cut off. > > As a conclusion of what I have read this far I can state: hardened OS is > useless for non-server. Would that be too much? Well, I think, in a "black > and white" no. (later is a discussion of what is better: to have 3 holes or > 300) > > Comments? > >