1 |
On Fri, 15 Oct 2004, Joshua Brindle wrote: |
2 |
|
3 |
> How about running 'untrusted' code through any interpreter in your |
4 |
> trusted path, are you going to somehow prevent interpreters from |
5 |
> reading anything in non-root owned directories? This is a slippery |
6 |
> slope and quickly approaches the need for MAC. I repeat, TPE is a |
7 |
> broken model and should not be relied on for anything. |
8 |
|
9 |
TPE is not a flawed concept; you have a flawed understanding of it. For |
10 |
it to work, yes, you do need to have your interpreters honor it as well. |
11 |
ld.so shouldn't be in the trusted path, since it can't be trusted. (I |
12 |
haven't tried this with kernel-sponsored TPE; I don't know how well that |
13 |
would work. I probably won't have time to try it until next year.) |
14 |
|
15 |
Note that most of the people I've seen talking about TPE had basically |
16 |
the same understanding you appear to have possessed. It's the |
17 |
understanding that one would have if one studied only the first page of |
18 |
the first document I've read on the topic, or by reading all of most of |
19 |
the documents I've read on the topic. (The first document I read on it |
20 |
was handed to me by the senior admin of my college's computer center. I |
21 |
have not found its equal since, and I very much regret having given it |
22 |
to my roommate at the time, instead of photocopying it. I suspect that |
23 |
I also have a flawed understanding, as a result of that mistake.) |
24 |
|
25 |
Generally, my use of TPE is restricted to a subset of users, who are |
26 |
given a very strict subset of commands; most of those commands are |
27 |
either wrappers around normal commands, or they were written to honor |
28 |
TPE; the remainder are commands like head which are so basic they can't |
29 |
be exploited without using a commandline that the restricted shell will |
30 |
block. They never get telnet, ssh, or any other command that allows |
31 |
them to go elsewhere; there's too many potentials there. |
32 |
|
33 |
(Note: it may be permissible to allow some reading by the interpreters |
34 |
outside of root-owned space, but only for data purposes; any such grants |
35 |
should be by explicit allows, and should be carefully thought out. For |
36 |
example, I've given users in a TPE environment access to read some of my |
37 |
apache logs, which are in a directory owned by httpd; this directory |
38 |
mod 3755, the TP settings wouldn't allow writes even if the directory |
39 |
did.) |
40 |
|
41 |
> We should not recomment noexec, noexec does nothing at all. |
42 |
|
43 |
By itself, you're right. It requires much more work, and most of the |
44 |
recommendations I've seen for it don't come near the effort required. |
45 |
|
46 |
Ed |
47 |
|
48 |
-- |
49 |
gentoo-hardened@g.o mailing list |