1 |
Hi again, |
2 |
|
3 |
On 10/8/06, Daniel Black <dragonheart@g.o> wrote: |
4 |
> On Friday 06 October 2006 01:07, Miguel Figueiredo Mascarenhas Sousa Filipe |
5 |
> wrote: |
6 |
> > Hi all, |
7 |
> > |
8 |
> > What do you guys think of: |
9 |
> > |
10 |
> > - reduce the number of setuid to the maximum |
11 |
> > - reduce the number of daemons running has root. |
12 |
> |
13 |
> Sounds good. |
14 |
|
15 |
Okay, in that case I will now work a bit on my suggestions and then I will |
16 |
post a reply detailing: |
17 |
- purpose |
18 |
- targeted aplications (bugs will be opened) |
19 |
- sysklogd |
20 |
- dhcp3 (dhclient and dhcpd) |
21 |
- vixie-cron |
22 |
- the apps that are setuids because of /etc/shadow.. (I'll have to |
23 |
dig more on this) |
24 |
- (not shure, some nfs/rcp apps) |
25 |
- modifications needed |
26 |
- their impact in increasing security, by reducing the number of |
27 |
setuids or root running daemons. |
28 |
- their impact on aplication maintenance, system maintenance/administration. |
29 |
|
30 |
> |
31 |
> > has example, openbsd and openwall (among others) both try to have sane |
32 |
> > setuids and setguids for things like: |
33 |
> > - cron/at service |
34 |
> > - syslog and klogd |
35 |
> > - passwd (on openwall, not shure about openbsd) |
36 |
> > and much more.. |
37 |
> > |
38 |
> > those are the things I miss most, a sane default filesystem system |
39 |
> > permissions and a lot of services that can be running without root |
40 |
> > privileges.. |
41 |
> > |
42 |
> > One interesting Idea would be to use the /etc/shadow replacement that |
43 |
> > is present in openwall |
44 |
> |
45 |
> Not something I've looked at. Could you describe this a bit more? |
46 |
|
47 |
I will, in the meantime, let me just point out to the "homepage" of |
48 |
the "project": |
49 |
http://www.openwall.com/tcb/ |
50 |
slide show info starting here: |
51 |
http://www.openwall.com/presentations/Owl/mgp00020.html |
52 |
|
53 |
> |
54 |
> > anyone knows if any of these things/ideas is being followed, if so, |
55 |
> > were can I find pointers to it? |
56 |
> |
57 |
> for the suid/daemons its generally up to each package maintainer. |
58 |
> |
59 |
> What I'd suggest is to put in a bug report on how to make each package not |
60 |
> suid or root daemon. |
61 |
|
62 |
I will open bugs to the "affected" aplications, and submit patches |
63 |
there, if needed. |
64 |
|
65 |
> |
66 |
> Also look for a place in the gentoo documentation to put these desireable |
67 |
> qualities and put some suggested text. |
68 |
|
69 |
Okay. |
70 |
|
71 |
|
72 |
Much of the focus will be in complementing gentoo-hardened with the |
73 |
hardening of specific frequently used subsystems (cron , sysloging, |
74 |
shadow related apps/setuids, dhcp ). |
75 |
By providing ways to remove their dependency in the root user for |
76 |
their correct operation. |
77 |
It is a bit "gentoo-hardened" oriented, because mantaining "hardened" |
78 |
patches for some aplications might be something their mantainers are |
79 |
unwilling to do. |
80 |
So, this will also serve to assess the interest of the gentoo-hardened |
81 |
comunity in this proposals. |
82 |
|
83 |
|
84 |
Best regards, |
85 |
|
86 |
-- |
87 |
Miguel Sousa Filipe |
88 |
-- |
89 |
gentoo-hardened@g.o mailing list |