1 |
I did some more Googling and found this post: |
2 |
|
3 |
http://article.gmane.org/gmane.linux.gentoo.hardened/490 |
4 |
|
5 |
which is a (January) followup from Chris PeBenito to me. It makes more |
6 |
sense now, at least. |
7 |
|
8 |
I've managed to do a couple of things now with policies, so that I've |
9 |
at least gotten to the point where I think I know what I'm doing -- |
10 |
enough to admin the box -- but far from being an expert. Here's what I |
11 |
managed to come up with: |
12 |
|
13 |
I wrote a security policy for a third-party proprietary CGI shopping |
14 |
cart application (PDG Cart), which I hope is about 90% there; I should |
15 |
find out tomorrow if it can actually post payments... |
16 |
|
17 |
I had to tweak the apache2 policy a little bit so that SSL would work |
18 |
properl. The stock policy has: |
19 |
|
20 |
/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t |
21 |
|
22 |
I had to add: |
23 |
|
24 |
/var/cache/apache2 system_u:object_r:httpd_cache_t |
25 |
/var/cache/apache2/ssl.*\.sem system_u:object_r:httpd_cache_t |
26 |
|
27 |
since this seems to have moved in current versions of apache-2. |
28 |
|
29 |
I relocated my PORTDIR and DISTDIR. |
30 |
|
31 |
/var/lib/ntp/ntp.drift wasn't being labelled correctly; I looks like |
32 |
this is fixed in the testing policy. I expect apache is probably fixed |
33 |
that way too. |
34 |
|
35 |
I took root out of users. It was a bit of a scary moment when I did: |
36 |
|
37 |
$ su - |
38 |
Password: |
39 |
Unable to cd to "/root" |
40 |
|
41 |
Of course, /root is not relabeled for root being a normal user. But |
42 |
then, if you do relabel it, it's has a context of |
43 |
system_u:object_r:default_t, which is not right either. su without the |
44 |
- works fine. However I suspect there is some more locking down to do |
45 |
to keep root from doing bad things like various denial-of-service |
46 |
attacks. Just as a example: |
47 |
|
48 |
# dd if=/dev/zero of=/tmp/foo |
49 |
|
50 |
This actually seems to lock up the machine in a bad way: An oops and a |
51 |
kernel panic: Fatal Exception in Interrupt Handler, starring Sharon |
52 |
Stone. I have a separate XFS /tmp filesystem, running |
53 |
hardened-dev-sources. I could probably reproduce this, but won't... |
54 |
|
55 |
Then there is the lovely don't-try-this-ever fork bomb: |
56 |
|
57 |
: () { : | : & } ; : # don't run this unless you have set ulimit or |
58 |
like rebooting |
59 |
|
60 |
Resource limits are another issue, of course. You can also compile |
61 |
stuff (using the /tmp directory). If you have it mounted with the |
62 |
noexec option, you should be pretty safe, though, but you can still |
63 |
waste resources. |
64 |
|
65 |
Maybe there should be a guest_r role (or punk_r) for users we really |
66 |
don't want to do anything? |
67 |
-- |
68 |
Computer interfaces should never be made of meat. |
69 |
|
70 |
Using GMail? Setting Reply-to address to <> disables this annoying feature. |
71 |
|
72 |
-- |
73 |
gentoo-hardened@g.o mailing list |