| 1 |
I did some more Googling and found this post: |
| 2 |
|
| 3 |
http://article.gmane.org/gmane.linux.gentoo.hardened/490 |
| 4 |
|
| 5 |
which is a (January) followup from Chris PeBenito to me. It makes more |
| 6 |
sense now, at least. |
| 7 |
|
| 8 |
I've managed to do a couple of things now with policies, so that I've |
| 9 |
at least gotten to the point where I think I know what I'm doing -- |
| 10 |
enough to admin the box -- but far from being an expert. Here's what I |
| 11 |
managed to come up with: |
| 12 |
|
| 13 |
I wrote a security policy for a third-party proprietary CGI shopping |
| 14 |
cart application (PDG Cart), which I hope is about 90% there; I should |
| 15 |
find out tomorrow if it can actually post payments... |
| 16 |
|
| 17 |
I had to tweak the apache2 policy a little bit so that SSL would work |
| 18 |
properl. The stock policy has: |
| 19 |
|
| 20 |
/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t |
| 21 |
|
| 22 |
I had to add: |
| 23 |
|
| 24 |
/var/cache/apache2 system_u:object_r:httpd_cache_t |
| 25 |
/var/cache/apache2/ssl.*\.sem system_u:object_r:httpd_cache_t |
| 26 |
|
| 27 |
since this seems to have moved in current versions of apache-2. |
| 28 |
|
| 29 |
I relocated my PORTDIR and DISTDIR. |
| 30 |
|
| 31 |
/var/lib/ntp/ntp.drift wasn't being labelled correctly; I looks like |
| 32 |
this is fixed in the testing policy. I expect apache is probably fixed |
| 33 |
that way too. |
| 34 |
|
| 35 |
I took root out of users. It was a bit of a scary moment when I did: |
| 36 |
|
| 37 |
$ su - |
| 38 |
Password: |
| 39 |
Unable to cd to "/root" |
| 40 |
|
| 41 |
Of course, /root is not relabeled for root being a normal user. But |
| 42 |
then, if you do relabel it, it's has a context of |
| 43 |
system_u:object_r:default_t, which is not right either. su without the |
| 44 |
- works fine. However I suspect there is some more locking down to do |
| 45 |
to keep root from doing bad things like various denial-of-service |
| 46 |
attacks. Just as a example: |
| 47 |
|
| 48 |
# dd if=/dev/zero of=/tmp/foo |
| 49 |
|
| 50 |
This actually seems to lock up the machine in a bad way: An oops and a |
| 51 |
kernel panic: Fatal Exception in Interrupt Handler, starring Sharon |
| 52 |
Stone. I have a separate XFS /tmp filesystem, running |
| 53 |
hardened-dev-sources. I could probably reproduce this, but won't... |
| 54 |
|
| 55 |
Then there is the lovely don't-try-this-ever fork bomb: |
| 56 |
|
| 57 |
: () { : | : & } ; : # don't run this unless you have set ulimit or |
| 58 |
like rebooting |
| 59 |
|
| 60 |
Resource limits are another issue, of course. You can also compile |
| 61 |
stuff (using the /tmp directory). If you have it mounted with the |
| 62 |
noexec option, you should be pretty safe, though, but you can still |
| 63 |
waste resources. |
| 64 |
|
| 65 |
Maybe there should be a guest_r role (or punk_r) for users we really |
| 66 |
don't want to do anything? |
| 67 |
-- |
| 68 |
Computer interfaces should never be made of meat. |
| 69 |
|
| 70 |
Using GMail? Setting Reply-to address to <> disables this annoying feature. |
| 71 |
|
| 72 |
-- |
| 73 |
gentoo-hardened@g.o mailing list |
Archives