| 1 |
Hi again, |
| 2 |
|
| 3 |
On 10/8/06, Daniel Black <dragonheart@g.o> wrote: |
| 4 |
> On Friday 06 October 2006 01:07, Miguel Figueiredo Mascarenhas Sousa Filipe |
| 5 |
> wrote: |
| 6 |
> > Hi all, |
| 7 |
> > |
| 8 |
> > What do you guys think of: |
| 9 |
> > |
| 10 |
> > - reduce the number of setuid to the maximum |
| 11 |
> > - reduce the number of daemons running has root. |
| 12 |
> |
| 13 |
> Sounds good. |
| 14 |
|
| 15 |
Okay, in that case I will now work a bit on my suggestions and then I will |
| 16 |
post a reply detailing: |
| 17 |
- purpose |
| 18 |
- targeted aplications (bugs will be opened) |
| 19 |
- sysklogd |
| 20 |
- dhcp3 (dhclient and dhcpd) |
| 21 |
- vixie-cron |
| 22 |
- the apps that are setuids because of /etc/shadow.. (I'll have to |
| 23 |
dig more on this) |
| 24 |
- (not shure, some nfs/rcp apps) |
| 25 |
- modifications needed |
| 26 |
- their impact in increasing security, by reducing the number of |
| 27 |
setuids or root running daemons. |
| 28 |
- their impact on aplication maintenance, system maintenance/administration. |
| 29 |
|
| 30 |
> |
| 31 |
> > has example, openbsd and openwall (among others) both try to have sane |
| 32 |
> > setuids and setguids for things like: |
| 33 |
> > - cron/at service |
| 34 |
> > - syslog and klogd |
| 35 |
> > - passwd (on openwall, not shure about openbsd) |
| 36 |
> > and much more.. |
| 37 |
> > |
| 38 |
> > those are the things I miss most, a sane default filesystem system |
| 39 |
> > permissions and a lot of services that can be running without root |
| 40 |
> > privileges.. |
| 41 |
> > |
| 42 |
> > One interesting Idea would be to use the /etc/shadow replacement that |
| 43 |
> > is present in openwall |
| 44 |
> |
| 45 |
> Not something I've looked at. Could you describe this a bit more? |
| 46 |
|
| 47 |
I will, in the meantime, let me just point out to the "homepage" of |
| 48 |
the "project": |
| 49 |
http://www.openwall.com/tcb/ |
| 50 |
slide show info starting here: |
| 51 |
http://www.openwall.com/presentations/Owl/mgp00020.html |
| 52 |
|
| 53 |
> |
| 54 |
> > anyone knows if any of these things/ideas is being followed, if so, |
| 55 |
> > were can I find pointers to it? |
| 56 |
> |
| 57 |
> for the suid/daemons its generally up to each package maintainer. |
| 58 |
> |
| 59 |
> What I'd suggest is to put in a bug report on how to make each package not |
| 60 |
> suid or root daemon. |
| 61 |
|
| 62 |
I will open bugs to the "affected" aplications, and submit patches |
| 63 |
there, if needed. |
| 64 |
|
| 65 |
> |
| 66 |
> Also look for a place in the gentoo documentation to put these desireable |
| 67 |
> qualities and put some suggested text. |
| 68 |
|
| 69 |
Okay. |
| 70 |
|
| 71 |
|
| 72 |
Much of the focus will be in complementing gentoo-hardened with the |
| 73 |
hardening of specific frequently used subsystems (cron , sysloging, |
| 74 |
shadow related apps/setuids, dhcp ). |
| 75 |
By providing ways to remove their dependency in the root user for |
| 76 |
their correct operation. |
| 77 |
It is a bit "gentoo-hardened" oriented, because mantaining "hardened" |
| 78 |
patches for some aplications might be something their mantainers are |
| 79 |
unwilling to do. |
| 80 |
So, this will also serve to assess the interest of the gentoo-hardened |
| 81 |
comunity in this proposals. |
| 82 |
|
| 83 |
|
| 84 |
Best regards, |
| 85 |
|
| 86 |
-- |
| 87 |
Miguel Sousa Filipe |
| 88 |
-- |
| 89 |
gentoo-hardened@g.o mailing list |
Archives