From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Ra7jX-0003O4-68 for garchives@archives.gentoo.org; Mon, 12 Dec 2011 15:24:03 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 370E321C039; Mon, 12 Dec 2011 15:23:48 +0000 (UTC) Received: from mail-vx0-f181.google.com (mail-vx0-f181.google.com [209.85.220.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 36CA121C028 for ; Mon, 12 Dec 2011 15:23:22 +0000 (UTC) Received: by vcbfl17 with SMTP id fl17so4385137vcb.40 for ; Mon, 12 Dec 2011 07:23:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=X2nr/CnmuHom6Vv4DdZs7af8mujc7IWr7x/g/GS2VIU=; b=LrB0s9tp0gpziYxdEETVZqhHm1yDmNuQooqIfmCWII6345AvZvYU1p4jF0DOpcmHiE uMREnpUcA/1srymZdwHFtVzuGUZSDrRAo4eEcsz5ylNN6l1qSrYMhvMltALhZt9mteyX cU16I5ttJ+GOuXyjgdC/t7qyf9fPtl71X6HO8= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Received: by 10.220.150.11 with SMTP id w11mr2030738vcv.136.1323703401592; Mon, 12 Dec 2011 07:23:21 -0800 (PST) Received: by 10.52.113.197 with HTTP; Mon, 12 Dec 2011 07:23:21 -0800 (PST) In-Reply-To: <20111212140825.73b06f80.ma1l1ists@yahoo.co.uk> References: <4EE3BE6B.6050507@libertytrek.org> <20111210145204.39ec9cba@khorne.mthode.org> <20111211101851.GA1810@gentoo.org> <20111211122043.GD1990@home.power> <20111211142519.GA12313@gentoo.org> <20111211145302.GE1990@home.power> <20111211200846.85ac1405.ma1l1ists@yahoo.co.uk> <4EE5EBDE.2090400@gentoo.org> <20111212133800.7780175b.ma1l1ists@yahoo.co.uk> <20111212140825.73b06f80.ma1l1ists@yahoo.co.uk> Date: Mon, 12 Dec 2011 16:23:21 +0100 Message-ID: Subject: Re: [gentoo-hardened] New Server, considering hardened, need pointers to tfm... From: =?ISO-8859-1?Q?Javier_Juan_Mart=EDnez_Cabez=F3n?= To: gentoo-hardened@lists.gentoo.org Content-Type: multipart/alternative; boundary=f46d043c7b960a38ed04b3e6b7be X-Archives-Salt: 6297190f-03c1-41dd-9a64-9725617cd9e7 X-Archives-Hash: 60e3b07d711cac9969756830bdad18f6 --f46d043c7b960a38ed04b3e6b7be Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable About this*: > What for after the main install, password changes (I use scripts > allowed via sudo for that and monitor mounts globally but the monitoring > could be improved like grsecs offering), some programs require it during > install but not many, none on my OpenBSD mail and web servers. * > > It's very bad idea to use sudo with scripts, in openbsd and everywhere. There are a lot of documentation about this question in the web. > Another thing that I try to do as a better method of TPE which is a > breeze on OpenBSD and sometimes I find myself working against Linux > developers=E0=B8=99 is to make it so that any writeable area of the files= ystem > is mounted noexec and mounts have the least priviledges required. The TPE in openbsd relies in the trustness of root, trusted is only feasible if nobody could reach root account (and daemons and suid binaries can still reach it in openbsd). Until openbsd doesn't implement mandatory controls and privilege separation (a.k.a posix capabilities) TPE will never be trusted under him . Other problem is script interpretation, you don't need any exec mounted partition to launch a exploit, just a simple perl myhorribleexploit.pl does it. In linux you can check under rbac if a script to get interpreted is trusted or not. > I'm in the process of attempting to complete this on Linux rather than > just /home etc. but on OpenBSD and the plan for single user linux > systems is to remount for updates, which is done in a controlled > fashion. Again, What is exactly controlled fashion?. It gets never controlled because EXEC mount privilege is not needed to launch exploits and for this reason make TPE useless. > but I probably should have just made them single user/auto-login. Bigger > problems on OpenBSD servers (no devfs) are ttys for multi-user systems > or multiple ssh users needing tty permission changes, otherwise only > sftp works for all other users, which could be a feature for > me atleast ;-). Originally I was going to try mounting /dev seperately > but the book Absolute OpenBSD Unix for the practical paranoid said > you couldn't, I guess it would need to be built into the kernel to boot. > There's also secure knocking that runs commands that may not need ttys > but I think they have to be pre-ordained, but maybe not. If I remember correctly in openbsd exists too TIOCSTI and TIOCCONS ioctls, one allows root to send commands to user tty (hijacking) and the other one to spy it, how did you control under openbsd without mandatory controls? > Starting with the actual bug, on OpenBSD everything is off untill you > enable it like arch linux but their hotplugd allows you to easily edit > the commands and so mount options. Of course their are things like > devmon for Linux but the real issue was if a security policy tried to > stop introduction of executable code by users and then someone used the > install scripts and set up say ubuntu with udev by default then a user > could make a directory owned by root on an ext2 usb possibly name > it .exe and then execute their program violating the security policy > and possibly without the admins realising, it's that not caring about > security while developing that OpenBSD for obvious reasons (being it's > main goal) has. I guess it's akin to gentoo hardened fixing/preferring > their glibc and mozilla not making their binaries pax compatible The bug in my opinion is rely into noexec mount option as a security option since you don't need it to launch untrusted code, just a perl/python interpreter is needed. --f46d043c7b960a38ed04b3e6b7be Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable About this:


> What for after the main install, password ch= anges (I use scripts
> allowed via sudo for that and monitor mounts globally but the monitori= ng
> could be improved like grsecs offering), some programs require it duri= ng
> install but not many, none on my OpenBSD mail and web servers.

=

It's very bad idea to use sudo with scripts, in open= bsd and everywhere. There are a lot of documentation about this question in= the web.


> Another thing that I try to do as a better method of TPE which is a > breeze on OpenBSD and sometimes I find myself working against Linux > developers=E0=B8=99 is to make it so that any writeable area of the fi= lesystem
> is mounted noexec and mounts have the least priviledges required.
<= br>The TPE in openbsd relies in the trustness of root, trusted is only feas= ible if nobody could reach root account (and daemons and suid binaries can = still reach it in openbsd). Until openbsd doesn't implement mandatory c= ontrols and privilege separation (a.k.a posix capabilities) TPE will never = be trusted under him .

Other problem is script interpretation, you don't need any exec mou= nted partition to launch a exploit, just a simple perl myhorribleexploit.pl does it.

In linux you c= an check under rbac if a script to get interpreted is trusted or not.


> I'm in the process of attempting to complete this on Linux rather = than
> just /home etc. but on OpenBSD and the plan for single user linux
> systems is to remount for updates, which is done in a controlled
> fashion.

Again, What is exactly controlled fashion?. It gets ne= ver controlled because EXEC mount privilege is not needed to launch exploit= s and for this reason make TPE useless.

> but I probably should = have just made them single user/auto-login. Bigger
> problems on OpenBSD servers (no devfs) are ttys for multi-user systems=
> or multiple ssh users needing tty permission changes, otherwise only > sftp works for all other users, which could be a feature for
> m= e atleast ;-). Originally I was going to try mounting /dev seperately
> but the book Absolute OpenBSD Unix for the practical paranoid said
> you couldn't, I guess it would need to be built into the kernel to= boot.

> There's also secure knocking that runs commands that may not need = ttys
> but I think they have to be pre-ordained, but maybe not.

If I r= emember correctly in openbsd exists too TIOCSTI and TIOCCONS ioctls, one al= lows root to send commands to user tty (hijacking) and the other one to spy= it, how did you control under openbsd without mandatory controls?

> Starting with the actual bug, on OpenBSD everything is off untill = you
> enable it like arch linux but their hotplugd allows you to easily edit=
> the commands and so mount options. Of course their are things like
> devmon for Linux but the real issue was if a security policy tried to<= br> > stop introduction of executable code by users and then someone used th= e
> install scripts and set up say ubuntu with udev by default then a user=
> could make a directory owned by root on an ext2 usb possibly name
> it .exe and then execute their program violating the security policy > and possibly without the admins realising, it's that not caring ab= out
> security while developing that OpenBSD for obvious reasons (being it&#= 39;s
> main goal) has. I guess it's akin to gentoo hardened fixing/prefer= ring
> their glibc and mozilla not making their binaries pax compatible
The bug in my opinion is rely into noexec mount option as a security opti= on since you don't need it to launch untrusted code, just a perl/python= interpreter is needed.
--f46d043c7b960a38ed04b3e6b7be--