| 1 |
He always could keep running X-window and his window manager (both) in |
| 2 |
a chrooted environment, he just protect extremely /dev/mem. Maybe he |
| 3 |
would not need /proc filesystem. If security is important why don't |
| 4 |
keep running the Xserver isolated (in a virtualbox for example and |
| 5 |
hardened with rsbac) and remote users get logged in with xnest through |
| 6 |
a ssl tunnel?. With those you get your untrusted users isolated from |
| 7 |
main system. |
| 8 |
|
| 9 |
In my opinion getting X-window running is bad in security concerns, by |
| 10 |
this reasons: |
| 11 |
- First: PaX should be disable in mprotect terms since Xorg needs it |
| 12 |
(with it refuse to run) . |
| 13 |
- Second: Access to /dev/mem have to be granted and get in mind that |
| 14 |
CAP_SYS_RAWIO capability (between others) too, for this reason, one |
| 15 |
bug in Xserver will give all control to the attacker (and keep in mind |
| 16 |
that with access to /dev/mem all Selinux, rsbac and grsecurity |
| 17 |
policies are wasted efforts). Since mprotect protections have to be |
| 18 |
disabled pax could not protect you. |
| 19 |
- Third: You must assure the access to the display, to make a |
| 20 |
keylogger in x-window is easy if there is posibility to connect |
| 21 |
untrusted clients to it. |
| 22 |
|
| 23 |
2008/11/25 RB <aoz.syn@×××××.com>: |
| 24 |
> On Tue, Nov 25, 2008 at 08:00, Jan Klod <janklodvan@×××××.com> wrote: |
| 25 |
>> Suppose, I want to take some extra precautions and set up PaX&co and MAC on a |
| 26 |
>> workstation with Xorg and other nice KDE apps (only some of which should be |
| 27 |
>> granted access to files in folder X). I would like to read others opinion, if |
| 28 |
>> I can get considerable security improvements or I will have to make that much |
| 29 |
>> of exceptions to those good rules, as it makes protection too useless? |
| 30 |
> |
| 31 |
> KDE (and to a lesser extent X) pretty much nullifies most application |
| 32 |
> isolation efforts you're going to make. Even if you ran each |
| 33 |
> application under a dedicated user and in its own chroot environment, |
| 34 |
> the GUI provides IPC facilites that will readily bypass all your hard |
| 35 |
> effort. As with your other email, clicking a link in one app opens a |
| 36 |
> browser window in another, regardless of what user separation you |
| 37 |
> might have - KDE does this under the covers, since it's what most |
| 38 |
> users would actually want, but you perceive it as a security breach. |
Archives