Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Joshua Brindle <method@g.o>
To: gentoo-hardened@l.g.o, gentoo-security@l.g.o, Niels Provos <provos@××××××××××.edu>
Subject: [gentoo-security] Re: [gentoo-hardened] Systrace resurrection
Date: Wed, 26 Apr 2006 14:09:10
Message-Id: 444F7D52.6090102@gentoo.org
In Reply to: [gentoo-security] Re: [gentoo-hardened] Systrace resurrection by Andrea Barisani
1 Andrea Barisani wrote:
2 > <snip>
3 >
4 > *sigh*
5 >
6 > I thought that this flamewar was dead. Ok, I kindly ask a hardened team
7 > review of this since I strongly believe this is not an issue, systrace is
8 > *not* a broken security model and yes it allows *controlled* privilege
9 > escalation if you configure it that way for removing the setuid but on some
10 > binaries.
11 >
12 This is no flamewar. The model is broken by my standards. It bypasses
13 built-in DAC and capabilities in the kernel making it the single attack
14 vector to gain all access on the system. Compare to grsecurity, rsbac,
15 selinux which do not bypass kernel access control or escalate privileges.
16
17 Further, the "lets ask the user if they want to allow this" is
18 inherently flawed. It is a discretionary model, the policy is in no way
19 analyzable. I suggest you read these articles:
20 http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/
21 http://securityblog.org/brindle/2006/04/19/security-anti-pattern-path-based-access-control/
22
23 > If you have an argument to make please show me the technical details about it
24 > and let's discuss it.
25 >
26 > It's *not* part of hardened atm anyway and it won't be unless the hardened
27 > team accepts it. It will remain in the portage tree as long as I support it
28 > unless you show me a clear demonstration of your concerns.
29 >
30 First it will never be accepted by hardened. Second, I believe that
31 security critical packages (particularly access control systems) should
32 go through hardened. Random developers *should not* be putting access
33 control mechanisms in the tree, users will have security expectations
34 that they cannot meet.
35 > BTW even with your concern the ptrace method (which can be entirely tested
36 > userspace) is still useful for debugging/testing, hence the userspace package
37 > has no reason for going away.
38 >
39 As long as its clearly marked as a debugging tool and not as a security
40 tool.
41 > CC'ing systrace author btw (not subscribed to this list)
42
43 Great.
44 --
45 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Re: [gentoo-hardened] Systrace resurrection Andrea Barisani <lcars@g.o>
Report Message
Find on MARC Find on Google Groups