Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-hardened@g.o
From: "Miguel Figueiredo Mascarenhas Sousa Filipe" <miguel.filipe@...>
Subject: sysklog & syslog-ng: minimizing the number of root user daemons. WAS(Re: [gentoo-hardened] Reducing the number of setuids, root user daemons..et al)
Date: Wed, 11 Oct 2006 04:26:17 +0100
Hi once more,

On 10/10/06, Miguel Figueiredo Mascarenhas Sousa Filipe
<miguel.filipe@...> wrote:
> Hi again,
>
> On 10/8/06, Daniel Black <dragonheart@g.o> wrote:
> > On Friday 06 October 2006 01:07, Miguel Figueiredo Mascarenhas Sousa Filipe
> > wrote:
> > > Hi all,
> > >
> > > What do you guys think of:
> > >
> > > - reduce the number of setuid to the maximum
> > > - reduce the number of daemons running has root.
> >
> > Sounds good.
>
> Okay, in that case I will now work a bit on my suggestions and then I will
> post a reply detailing:

Purpose:
Provide safe defaults, apply the least privilege principle, and
introduce privilege separation where possible.


Okay, I took a stab at:
- sysklogd [1]
which was far too easy since gentoo already had the patches I need:
/usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-klogd-drop-root.diff
/usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-bind.diff
/usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-drop-root.diff

The objective is to make sysklogd run without root privileges
that implies running:
klogd with user: klog, and chroot it in /var/empty (for instance..)
syslogd with user syslog

to do that, we must create the respective users.
Change all files to which syslogd writes (log files) writable by
syslog. I did this by changing the ownership of these files to the
"syslog" user

Also, in /etc/conf.d/sysklogd we must add the following arguments to
each daemon:
klogd:  -u klogd -j /var/empty
syslogd: -u syslog


I also took a stab at:
- syslog-ng [2]
for syslog-ng, the aplication allready supports running has a
unprivileged user, and chrooted.
from the man page:
syslog-ng  [ -C <chroot-dir> ] [ -u <user> ] [ -g <group> ]

the only needed thing is to change /etc/init.d/syslog-ng to read some
config file for syslog-ng (/etc/conf.d/syslog-ng would be nice) and
set there this arguments.

One should say that the privilege revocation on syslog-ng doesn't look
has solid has for sysklogd. The man page refers that will (not) work
depending on several conditions...

And that's it.

Bugs reported:
[1] sysklog: http://bugs.gentoo.org/show_bug.cgi?id=150845
[2] syslog-ng: http://bugs.gentoo.org/show_bug.cgi?id=150844


> - purpose
> - targeted aplications (bugs will be opened)
>   - sysklogd
>   - dhcp3 (dhclient and dhcpd)
>   - vixie-cron
>   - the apps that are setuids because of /etc/shadow.. (I'll have to
> dig more on this)
>   - (not shure, some nfs/rcp apps)
> - modifications needed
> - their impact in increasing security, by reducing the number of
> setuids or root running daemons.
> - their impact on aplication maintenance, system maintenance/administration.
>
> >
> > > has example, openbsd and openwall (among others) both try to have sane
> > > setuids and setguids for things like:
> > > - cron/at service
> > > - syslog and klogd
> > > - passwd (on openwall, not shure about openbsd)
> > > and much more..
> > >
> > > those are the things I miss most, a sane default filesystem system
> > > permissions and a lot of services that can be running without root
> > > privileges..
> > >
> > > One interesting Idea would be to use the /etc/shadow replacement that
> > > is present in openwall
> >
> > Not something I've looked at. Could you describe this a bit more?
>
> I will, in the meantime, let me just point out to the "homepage" of
> the "project":
> http://www.openwall.com/tcb/
> slide show info starting here:
> http://www.openwall.com/presentations/Owl/mgp00020.html
>
> >
> > > anyone knows if any of these things/ideas is being followed, if so,
> > > were can I find pointers to it?
> >
> > for the suid/daemons its generally up to each package maintainer.
> >
> > What I'd suggest is to put in a bug report on how to make each package not
> > suid or root daemon.
>
> I will open bugs to the "affected" aplications, and submit patches
> there, if needed.
>
> >
> > Also look for a place in the gentoo documentation to put these desireable
> > qualities and put some suggested text.
>
> Okay.
>
>
> Much of the focus will be in complementing gentoo-hardened with the
> hardening of specific frequently used subsystems (cron , sysloging,
> shadow related apps/setuids, dhcp ).
> By providing ways to remove their dependency in the root user for
> their correct operation.
> It is a bit "gentoo-hardened" oriented, because mantaining "hardened"
> patches for some aplications might be something their mantainers are
> unwilling to do.
> So, this will also serve to assess the interest of the gentoo-hardened
> comunity in this proposals.
>
>
> Best regards,
>
> --
> Miguel Sousa Filipe
>


-- 
Miguel Sousa Filipe
-- 
gentoo-security@g.o mailing list


Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Securing dhcpcd (client)
Next by thread:
Dev comments needed on userrep forum
Previous by date:
Re: Re: [gentoo-hardened] Securing dhcpcd (client)
Next by date:
Re: Re : Running app-admin/syslog-ng withoutrootprivileges


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.