1 |
> I suggest you do some more reading at grsecurity.net or even the |
2 |
> OpenBSD mailing list. I haven't got time to hunt down the two references |
3 |
> that stick in my mind but keep your ears open and you may realise one |
4 |
> of the kernel exploits could/can/will do just that. Do you really |
5 |
> believe it's impossible??!! |
6 |
> |
7 |
I give you proofs because the arguments you defend are wrong, give |
8 |
proofs about the oposite if you can. |
9 |
|
10 |
I told you, with a secure TPE (so scripts fully controlled) tell me |
11 |
how to write one kernel exploit under bash without calling external |
12 |
code. |
13 |
|
14 |
|
15 |
>>> Shall we get rid of file permissions because we have RBAC. We could |
16 |
>>> but I can't see that happening and for good reason. |
17 |
> |
18 |
>> file permissions are discrectional, rbac mostly mandatory |
19 |
> |
20 |
> I have no idea what you are arguing with, you just keep trying to twist |
21 |
> what I say because you have a bee in your bonnet about MACs as the |
22 |
> answer to everything and a panacea, they aren't but they are useful as I |
23 |
> have said. Personally I wouldn't swap an OpenBSD kernel for the Linux |
24 |
> one with RBAC on my servers atleast. One day with a risky setup, I |
25 |
> might in that instance. I wonder why kernel.org didn't use RBACs, |
26 |
> especially RSBAC or even chroot. How embarrassing for such an automated |
27 |
> attack to get through. Is bugzilla.kernel.org still down? That wouldn't |
28 |
> have happened if they were using OpenBSD. It might be a good idea to use |
29 |
> a different kernel to the one they are hosting anyway even with many |
30 |
> eyes. And before you think well this is just me clutching at straws with |
31 |
> your tunnel vision, it relates exactly to what I was talking about |
32 |
> of likelihood of use. |
33 |
|
34 |
I have never said to eliminate DAC. I just told that ONLY DAC as |
35 |
openbsd do is a bad option and insecure. |
36 |
You can substitute DAC with RBAC (and RSBAC gives an option to do it). |
37 |
|
38 |
Now DAC and RBAC are layered, RBAC can be secure without DAC, DAC |
39 |
WOULD NEVER be secure without RBAC. |
40 |
|
41 |
|
42 |
> What is root, it is the root of the system not just a user. If it |
43 |
> didn't exist the kernel wouldn't be able to turn RBAC off now would it. |
44 |
> You have been drawn in by the wonderful marketing of imagine a system |
45 |
> where root doesn't exist. Would your analogy be the kernel recreates |
46 |
> root. If so, fine it makes no difference but is less correct. |
47 |
|
48 |
I repeat you (and get your ears cleaned) UID 0 is only relevant UNDER |
49 |
DAC approach. |
50 |
|
51 |
RBAC doesn't use UIDS just roles read about rbac AGAIN. And UID 0 |
52 |
under rbac can do NOTHING. UID 0 can't switch off nothing only role |
53 |
admin can do it, and usually is not UID 0, in rsbac is UID 400. |
54 |
|
55 |
Some binaries with independency of which user executes it, change to |
56 |
their own role and can do ONLY which his role can do., for example my |
57 |
syslog-ng role when executed can only access in append mode to logs |
58 |
files and mapping libraries under /lib, can just access to /dev/log. A |
59 |
exploit ran against syslog will NOT GET full control over the system |
60 |
even when ran under root account without dropping just to what his |
61 |
role can do. |
62 |
|
63 |
Root in a DAC can do which it does because the capabilities, in my |
64 |
system (I told you again) root has not capabilities, is just a simple |
65 |
user. |
66 |
|
67 |
As you can suppose this user 400 doesn't launch daemons (neither init) |
68 |
and run any software he just administrate the policy, and nobody can |
69 |
suid to his uid without getting authenticated (password) against UM |
70 |
module, so there is not way to get suid to his account in a exploit |
71 |
approach. |
72 |
|
73 |
I told you many times that TPE under proper RBAC is secure, because |
74 |
only a bash script without calling extern code could be launched as an |
75 |
exploit, so it's nearly impossible to do it. Write me a bash script |
76 |
kernel exploit if you can. |
77 |
|
78 |
Even with that this role admin or authority could be fixed forever |
79 |
just revoking to his role these privileges. |
80 |
|
81 |
|
82 |
> And yet your kernel has bugs added every day without much security |
83 |
> consideration. What you don't understand is that RBAC is a security |
84 |
> layer that the root of the system has control of. What can |
85 |
> your /sbin/init do, what can the kernel do? Some rootkits can actually |
86 |
> go the other side of the kernel even, far above where RBACs are. |
87 |
|
88 |
Read the orange book, this is the question because mandatory access |
89 |
controls exists to confinate damage and avoid them. My init can't suid |
90 |
to secoff UID, and he can't only call scripts and nothing more. Getty |
91 |
runs with his own role, scripts with their own, login with it's own |
92 |
and init with it's own. ROOT DOES NOT CONTROL RBAC, RBAC controls him. |
93 |
|
94 |
There is no way that a rootkit could access to kernel memory, |
95 |
/dev/mem, ioports an alike devices are fully controlled and module |
96 |
interfaz too and kernel sources too. Tell me how the hell can anyone |
97 |
launch a ring 0 rootkit, and give proofs as I did a not simple search |
98 |
in grsec or openbsd sites. |
99 |
|
100 |
|
101 |
> I repeat it ALL depends on the application, even the hardware. You |
102 |
> could reduce the Linux kernel right down to protect the RBAC. Which |
103 |
> was my original point. |
104 |
> |
105 |
RBAC IS the kernel, is the PCB. The PCB protects himself from |
106 |
userland, and root is part of this userland, and for this reason root |
107 |
has not rights over it, it has them over him. By this reason the |
108 |
access control is mandatory. |