| 1 |
On Fri, 15 Oct 2004, Joshua Brindle wrote: |
| 2 |
|
| 3 |
> How about running 'untrusted' code through any interpreter in your |
| 4 |
> trusted path, are you going to somehow prevent interpreters from |
| 5 |
> reading anything in non-root owned directories? This is a slippery |
| 6 |
> slope and quickly approaches the need for MAC. I repeat, TPE is a |
| 7 |
> broken model and should not be relied on for anything. |
| 8 |
|
| 9 |
TPE is not a flawed concept; you have a flawed understanding of it. For |
| 10 |
it to work, yes, you do need to have your interpreters honor it as well. |
| 11 |
ld.so shouldn't be in the trusted path, since it can't be trusted. (I |
| 12 |
haven't tried this with kernel-sponsored TPE; I don't know how well that |
| 13 |
would work. I probably won't have time to try it until next year.) |
| 14 |
|
| 15 |
Note that most of the people I've seen talking about TPE had basically |
| 16 |
the same understanding you appear to have possessed. It's the |
| 17 |
understanding that one would have if one studied only the first page of |
| 18 |
the first document I've read on the topic, or by reading all of most of |
| 19 |
the documents I've read on the topic. (The first document I read on it |
| 20 |
was handed to me by the senior admin of my college's computer center. I |
| 21 |
have not found its equal since, and I very much regret having given it |
| 22 |
to my roommate at the time, instead of photocopying it. I suspect that |
| 23 |
I also have a flawed understanding, as a result of that mistake.) |
| 24 |
|
| 25 |
Generally, my use of TPE is restricted to a subset of users, who are |
| 26 |
given a very strict subset of commands; most of those commands are |
| 27 |
either wrappers around normal commands, or they were written to honor |
| 28 |
TPE; the remainder are commands like head which are so basic they can't |
| 29 |
be exploited without using a commandline that the restricted shell will |
| 30 |
block. They never get telnet, ssh, or any other command that allows |
| 31 |
them to go elsewhere; there's too many potentials there. |
| 32 |
|
| 33 |
(Note: it may be permissible to allow some reading by the interpreters |
| 34 |
outside of root-owned space, but only for data purposes; any such grants |
| 35 |
should be by explicit allows, and should be carefully thought out. For |
| 36 |
example, I've given users in a TPE environment access to read some of my |
| 37 |
apache logs, which are in a directory owned by httpd; this directory |
| 38 |
mod 3755, the TP settings wouldn't allow writes even if the directory |
| 39 |
did.) |
| 40 |
|
| 41 |
> We should not recomment noexec, noexec does nothing at all. |
| 42 |
|
| 43 |
By itself, you're right. It requires much more work, and most of the |
| 44 |
recommendations I've seen for it don't come near the effort required. |
| 45 |
|
| 46 |
Ed |
| 47 |
|
| 48 |
-- |
| 49 |
gentoo-hardened@g.o mailing list |
Archives