| 1 |
On Mon, 06 Nov 2006 12:11:44 -0500, Longman, Bill <longman@×××××××××.com> |
| 2 |
wrote: |
| 3 |
|
| 4 |
>> Well, this gets at my original musing...... are you really |
| 5 |
>> safer with a |
| 6 |
>> grsecurity-hardened-chrooted VMware application (with root |
| 7 |
>> privileges, |
| 8 |
>> that uses at least some of the host's kernel) or a |
| 9 |
>> grsecurity-hardened-chrooted program with no privilege and only the |
| 10 |
>> additional executables necessary to keep it running. |
| 11 |
>> |
| 12 |
>> And if the answer is yes, are you significantly safer? |
| 13 |
>> |
| 14 |
>> In one sense there'd be a thicker layer between the host and |
| 15 |
>> the server, |
| 16 |
>> but in another sense the added complexity and root host |
| 17 |
>> privilege may add |
| 18 |
>> vulnerabilities? |
| 19 |
>> |
| 20 |
>> (Sorry if this is foolish...... the answer seems less than obvious) |
| 21 |
> |
| 22 |
> Well, let's say the uberhackers crack your box and rm -r /*. How much is |
| 23 |
> your time worth rebuilding from scratch? If the VM has been cloned, you |
| 24 |
> just |
| 25 |
> restart with the old VM. Takes about 12 seconds. |
| 26 |
> |
| 27 |
> Within that VM, you still have the option to run a hardened kernel or |
| 28 |
> just |
| 29 |
> chroot your services. |
| 30 |
> |
| 31 |
> The security angle is still a function of the inherent security of the |
| 32 |
> service. If your creaky FTP server hasn't been patched in two years, |
| 33 |
> that's |
| 34 |
> probably the weakest link. If the OS affords a buffer overrun to occur, |
| 35 |
> that's a more generic solution to ANY process on the system. Finally, |
| 36 |
> it's a |
| 37 |
> probability calculation between these factors. If your service is widely |
| 38 |
> accessible, it's going to get hit more often than a protected one. |
| 39 |
> |
| 40 |
> At the ultimate step, the uberhackers 0wn your box. Will they be able to |
| 41 |
> crack their way out of a process that provides them their OS? It's easy |
| 42 |
> to |
| 43 |
> detect that you're living inside a VMWare VM, but why would you care? |
| 44 |
> Why is |
| 45 |
> the REAL OS any better? |
| 46 |
|
| 47 |
THANK YOU for replying....... I'm over my head here. |
| 48 |
|
| 49 |
So as a case in point, consider Snort and presume that it has a backdoor |
| 50 |
(no overflow required)... |
| 51 |
|
| 52 |
I run it as user snort which is unprivileged and does one thing - runs |
| 53 |
snort in a hardened jail. |
| 54 |
|
| 55 |
/jail/snort/bin contains: |
| 56 |
|
| 57 |
total 1704 |
| 58 |
drwxr-xr-x 2 root root 4096 Sep 3 16:06 ./ |
| 59 |
drwxr-xr-x 10 root root 4096 Sep 3 16:06 ../ |
| 60 |
-rwxr-xr-x 1 root root 861372 Sep 3 16:06 bash* |
| 61 |
-rwxr-xr-x 1 root root 861372 Sep 3 16:06 sh* |
| 62 |
|
| 63 |
There is no root user or group defined within the jail. So IIUC, to do |
| 64 |
what you suggested, he would use a backdoor to get to sh from snort, and |
| 65 |
then change to user root, assume root privilege, break out of the jail, |
| 66 |
and then be free to run rm? (presuming also that RBAC would allow root to |
| 67 |
rm the box). |
| 68 |
|
| 69 |
OTOH, if I ran Snort within a VM (within a hardened jail), my jail would |
| 70 |
be running VM with root privileges, and if he cracked the VM, he'd already |
| 71 |
have root privileges? |
| 72 |
|
| 73 |
So I guess we're presuming that the risk of running VMWARE with user |
| 74 |
"root" is more than compensated for by the robustness of the VMware player? |
| 75 |
|
| 76 |
The other question has to do with VMware server vs player. I'd guess that |
| 77 |
one constructs his "appliance" with the server, and then plays it with the |
| 78 |
(smaller) player? |
| 79 |
|
| 80 |
TIA, Newbie |
| 81 |
|
| 82 |
-- |
| 83 |
gentoo-hardened@g.o mailing list |
Archives