| 1 |
> I suggest you do some more reading at grsecurity.net or even the |
| 2 |
> OpenBSD mailing list. I haven't got time to hunt down the two references |
| 3 |
> that stick in my mind but keep your ears open and you may realise one |
| 4 |
> of the kernel exploits could/can/will do just that. Do you really |
| 5 |
> believe it's impossible??!! |
| 6 |
> |
| 7 |
I give you proofs because the arguments you defend are wrong, give |
| 8 |
proofs about the oposite if you can. |
| 9 |
|
| 10 |
I told you, with a secure TPE (so scripts fully controlled) tell me |
| 11 |
how to write one kernel exploit under bash without calling external |
| 12 |
code. |
| 13 |
|
| 14 |
|
| 15 |
>>> Shall we get rid of file permissions because we have RBAC. We could |
| 16 |
>>> but I can't see that happening and for good reason. |
| 17 |
> |
| 18 |
>> file permissions are discrectional, rbac mostly mandatory |
| 19 |
> |
| 20 |
> I have no idea what you are arguing with, you just keep trying to twist |
| 21 |
> what I say because you have a bee in your bonnet about MACs as the |
| 22 |
> answer to everything and a panacea, they aren't but they are useful as I |
| 23 |
> have said. Personally I wouldn't swap an OpenBSD kernel for the Linux |
| 24 |
> one with RBAC on my servers atleast. One day with a risky setup, I |
| 25 |
> might in that instance. I wonder why kernel.org didn't use RBACs, |
| 26 |
> especially RSBAC or even chroot. How embarrassing for such an automated |
| 27 |
> attack to get through. Is bugzilla.kernel.org still down? That wouldn't |
| 28 |
> have happened if they were using OpenBSD. It might be a good idea to use |
| 29 |
> a different kernel to the one they are hosting anyway even with many |
| 30 |
> eyes. And before you think well this is just me clutching at straws with |
| 31 |
> your tunnel vision, it relates exactly to what I was talking about |
| 32 |
> of likelihood of use. |
| 33 |
|
| 34 |
I have never said to eliminate DAC. I just told that ONLY DAC as |
| 35 |
openbsd do is a bad option and insecure. |
| 36 |
You can substitute DAC with RBAC (and RSBAC gives an option to do it). |
| 37 |
|
| 38 |
Now DAC and RBAC are layered, RBAC can be secure without DAC, DAC |
| 39 |
WOULD NEVER be secure without RBAC. |
| 40 |
|
| 41 |
|
| 42 |
> What is root, it is the root of the system not just a user. If it |
| 43 |
> didn't exist the kernel wouldn't be able to turn RBAC off now would it. |
| 44 |
> You have been drawn in by the wonderful marketing of imagine a system |
| 45 |
> where root doesn't exist. Would your analogy be the kernel recreates |
| 46 |
> root. If so, fine it makes no difference but is less correct. |
| 47 |
|
| 48 |
I repeat you (and get your ears cleaned) UID 0 is only relevant UNDER |
| 49 |
DAC approach. |
| 50 |
|
| 51 |
RBAC doesn't use UIDS just roles read about rbac AGAIN. And UID 0 |
| 52 |
under rbac can do NOTHING. UID 0 can't switch off nothing only role |
| 53 |
admin can do it, and usually is not UID 0, in rsbac is UID 400. |
| 54 |
|
| 55 |
Some binaries with independency of which user executes it, change to |
| 56 |
their own role and can do ONLY which his role can do., for example my |
| 57 |
syslog-ng role when executed can only access in append mode to logs |
| 58 |
files and mapping libraries under /lib, can just access to /dev/log. A |
| 59 |
exploit ran against syslog will NOT GET full control over the system |
| 60 |
even when ran under root account without dropping just to what his |
| 61 |
role can do. |
| 62 |
|
| 63 |
Root in a DAC can do which it does because the capabilities, in my |
| 64 |
system (I told you again) root has not capabilities, is just a simple |
| 65 |
user. |
| 66 |
|
| 67 |
As you can suppose this user 400 doesn't launch daemons (neither init) |
| 68 |
and run any software he just administrate the policy, and nobody can |
| 69 |
suid to his uid without getting authenticated (password) against UM |
| 70 |
module, so there is not way to get suid to his account in a exploit |
| 71 |
approach. |
| 72 |
|
| 73 |
I told you many times that TPE under proper RBAC is secure, because |
| 74 |
only a bash script without calling extern code could be launched as an |
| 75 |
exploit, so it's nearly impossible to do it. Write me a bash script |
| 76 |
kernel exploit if you can. |
| 77 |
|
| 78 |
Even with that this role admin or authority could be fixed forever |
| 79 |
just revoking to his role these privileges. |
| 80 |
|
| 81 |
|
| 82 |
> And yet your kernel has bugs added every day without much security |
| 83 |
> consideration. What you don't understand is that RBAC is a security |
| 84 |
> layer that the root of the system has control of. What can |
| 85 |
> your /sbin/init do, what can the kernel do? Some rootkits can actually |
| 86 |
> go the other side of the kernel even, far above where RBACs are. |
| 87 |
|
| 88 |
Read the orange book, this is the question because mandatory access |
| 89 |
controls exists to confinate damage and avoid them. My init can't suid |
| 90 |
to secoff UID, and he can't only call scripts and nothing more. Getty |
| 91 |
runs with his own role, scripts with their own, login with it's own |
| 92 |
and init with it's own. ROOT DOES NOT CONTROL RBAC, RBAC controls him. |
| 93 |
|
| 94 |
There is no way that a rootkit could access to kernel memory, |
| 95 |
/dev/mem, ioports an alike devices are fully controlled and module |
| 96 |
interfaz too and kernel sources too. Tell me how the hell can anyone |
| 97 |
launch a ring 0 rootkit, and give proofs as I did a not simple search |
| 98 |
in grsec or openbsd sites. |
| 99 |
|
| 100 |
|
| 101 |
> I repeat it ALL depends on the application, even the hardware. You |
| 102 |
> could reduce the Linux kernel right down to protect the RBAC. Which |
| 103 |
> was my original point. |
| 104 |
> |
| 105 |
RBAC IS the kernel, is the PCB. The PCB protects himself from |
| 106 |
userland, and root is part of this userland, and for this reason root |
| 107 |
has not rights over it, it has them over him. By this reason the |
| 108 |
access control is mandatory. |
Archives