1 |
Let's play your game as you keep mixing up contexts and you're the one |
2 |
> making blanket statements not me and telling me you know what I know |
3 |
> better than myself. I merely said that methods of breaking RBAC have |
4 |
> been discussed and a kernel exploit is one of them. |
5 |
> |
6 |
> I haven't seen no methods in your mails of breaking nothing, only search |
7 |
in the web ones. |
8 |
|
9 |
|
10 |
> So show me how you can break out of the default apache on OpenBSD then? |
11 |
> |
12 |
|
13 |
With a bug in the portion of code with privileges. But it's not needed, any |
14 |
bug in any software (as ports that are not audited) that gets root in |
15 |
openbsd can kill apache process, but yeah it's clear that is nearly |
16 |
impossible to get a remote hole in coreutils because they audit his |
17 |
code..... |
18 |
|
19 |
|
20 |
|
21 |
> |
22 |
> |
23 |
> RBAC is part of the kernel yes and so stored in memory. It is also a |
24 |
> part of the kernel that is meant to be switchable. An exploit in the |
25 |
> kernel can not only bypass RBAC or switch it off it can even situate a |
26 |
> rootkit above the kernel leaving RBAC in place and having ALL rights |
27 |
> aka the root of the system. Yes a perfect policy may prevent an exploit |
28 |
> but it's equally possible that a perfect policy has to allow the |
29 |
> exploit for desired functionality. |
30 |
> |
31 |
> What do you think that grsec and rsbac is SELinux alike?, Brad Spender |
32 |
prove that selinux could be disabled because his stupid architecture of LSM |
33 |
with exported symbols, grsec and rsbac doesn't work at the horrible way |
34 |
that selinux does and has every code in main code everywhere, there is not |
35 |
a magic button "switch_off" as SELINUX. Grsec and Rsbac are not a part of |
36 |
the kernel are the kernel itself. In rsbac every syscalls are intercepted, |
37 |
any open(O_RDLY) calls done is intercepted and "substitute" by an READ_OPEN |
38 |
request that should be granted to work, the portion of code that has open |
39 |
calls has the rsbac calls ones there. |
40 |
|
41 |
Can you patch the kernel on the fly without accessing devices? or without |
42 |
modules interface? or without using ioports interface? just using syscall |
43 |
interface? prove it, but don't get surprised if you get your funny process |
44 |
killed because trying ring 0 changes from ring 3 is strictly forbidden |
45 |
through it, supervisor mode is called I think... |
46 |
|
47 |
If you can do it you can do then drivers from userspace without glue kernel |
48 |
layer as fuse does (yes in your information is needed a kernel interface to |
49 |
make it work, you can't do directly ring 0 interfaces with only userspace |
50 |
code... |
51 |
|
52 |
|
53 |
The question is what is more important, keeping attackers out or making |
54 |
> sure your policies are good enough to stop them. I prefer OpenBSD for |
55 |
> many reasons aside from just this anyway. |
56 |
> |
57 |
> At first sight it seems that you only want to make publicy of openbsd in a |
58 |
gentoo hardened mailing list in a thread of a user that asks explicetly to |
59 |
suggestions about it, at least with my answers he could check rbac data and |
60 |
could save something from them. With yours answers I don't know what can he |
61 |
take in clear. |
62 |
|
63 |
You turned this into a bashing of OpenBSD and I'm not sure anyone here |
64 |
> appreciates the hijacking of this thread, I should have known better |
65 |
> than to mention OpenBSD here and almost removed it before sending, lets |
66 |
> stop and agree to disagree. It's not the first time the importance of |
67 |
> RBACs bug exploitation prevention versus bug removal and prevention at |
68 |
> source has been discussed. Hopefully one day the Linux kernel will be |
69 |
> as bug free and capable to be safely as static as OpenBSDs, I also hope |
70 |
> OpenBSD gets a MAC one day too. Unfortunately I can't see either |
71 |
> happening. |
72 |
> |
73 |
|
74 |
I only correct your mistakes and try to avoid that the user gets confused |
75 |
by you, |
76 |
I have been all the thread showing that you noexec implemention does not |
77 |
work and exposed the reason about this and probable solutions. If you are |
78 |
blind about this don't try to extend your blindness to the user that wants |
79 |
suggestions. |