| 1 |
Let's play your game as you keep mixing up contexts and you're the one |
| 2 |
> making blanket statements not me and telling me you know what I know |
| 3 |
> better than myself. I merely said that methods of breaking RBAC have |
| 4 |
> been discussed and a kernel exploit is one of them. |
| 5 |
> |
| 6 |
> I haven't seen no methods in your mails of breaking nothing, only search |
| 7 |
in the web ones. |
| 8 |
|
| 9 |
|
| 10 |
> So show me how you can break out of the default apache on OpenBSD then? |
| 11 |
> |
| 12 |
|
| 13 |
With a bug in the portion of code with privileges. But it's not needed, any |
| 14 |
bug in any software (as ports that are not audited) that gets root in |
| 15 |
openbsd can kill apache process, but yeah it's clear that is nearly |
| 16 |
impossible to get a remote hole in coreutils because they audit his |
| 17 |
code..... |
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
> |
| 22 |
> |
| 23 |
> RBAC is part of the kernel yes and so stored in memory. It is also a |
| 24 |
> part of the kernel that is meant to be switchable. An exploit in the |
| 25 |
> kernel can not only bypass RBAC or switch it off it can even situate a |
| 26 |
> rootkit above the kernel leaving RBAC in place and having ALL rights |
| 27 |
> aka the root of the system. Yes a perfect policy may prevent an exploit |
| 28 |
> but it's equally possible that a perfect policy has to allow the |
| 29 |
> exploit for desired functionality. |
| 30 |
> |
| 31 |
> What do you think that grsec and rsbac is SELinux alike?, Brad Spender |
| 32 |
prove that selinux could be disabled because his stupid architecture of LSM |
| 33 |
with exported symbols, grsec and rsbac doesn't work at the horrible way |
| 34 |
that selinux does and has every code in main code everywhere, there is not |
| 35 |
a magic button "switch_off" as SELINUX. Grsec and Rsbac are not a part of |
| 36 |
the kernel are the kernel itself. In rsbac every syscalls are intercepted, |
| 37 |
any open(O_RDLY) calls done is intercepted and "substitute" by an READ_OPEN |
| 38 |
request that should be granted to work, the portion of code that has open |
| 39 |
calls has the rsbac calls ones there. |
| 40 |
|
| 41 |
Can you patch the kernel on the fly without accessing devices? or without |
| 42 |
modules interface? or without using ioports interface? just using syscall |
| 43 |
interface? prove it, but don't get surprised if you get your funny process |
| 44 |
killed because trying ring 0 changes from ring 3 is strictly forbidden |
| 45 |
through it, supervisor mode is called I think... |
| 46 |
|
| 47 |
If you can do it you can do then drivers from userspace without glue kernel |
| 48 |
layer as fuse does (yes in your information is needed a kernel interface to |
| 49 |
make it work, you can't do directly ring 0 interfaces with only userspace |
| 50 |
code... |
| 51 |
|
| 52 |
|
| 53 |
The question is what is more important, keeping attackers out or making |
| 54 |
> sure your policies are good enough to stop them. I prefer OpenBSD for |
| 55 |
> many reasons aside from just this anyway. |
| 56 |
> |
| 57 |
> At first sight it seems that you only want to make publicy of openbsd in a |
| 58 |
gentoo hardened mailing list in a thread of a user that asks explicetly to |
| 59 |
suggestions about it, at least with my answers he could check rbac data and |
| 60 |
could save something from them. With yours answers I don't know what can he |
| 61 |
take in clear. |
| 62 |
|
| 63 |
You turned this into a bashing of OpenBSD and I'm not sure anyone here |
| 64 |
> appreciates the hijacking of this thread, I should have known better |
| 65 |
> than to mention OpenBSD here and almost removed it before sending, lets |
| 66 |
> stop and agree to disagree. It's not the first time the importance of |
| 67 |
> RBACs bug exploitation prevention versus bug removal and prevention at |
| 68 |
> source has been discussed. Hopefully one day the Linux kernel will be |
| 69 |
> as bug free and capable to be safely as static as OpenBSDs, I also hope |
| 70 |
> OpenBSD gets a MAC one day too. Unfortunately I can't see either |
| 71 |
> happening. |
| 72 |
> |
| 73 |
|
| 74 |
I only correct your mistakes and try to avoid that the user gets confused |
| 75 |
by you, |
| 76 |
I have been all the thread showing that you noexec implemention does not |
| 77 |
work and exposed the reason about this and probable solutions. If you are |
| 78 |
blind about this don't try to extend your blindness to the user that wants |
| 79 |
suggestions. |
Archives