1 |
On Mon, 06 Nov 2006 12:11:44 -0500, Longman, Bill <longman@×××××××××.com> |
2 |
wrote: |
3 |
|
4 |
>> Well, this gets at my original musing...... are you really |
5 |
>> safer with a |
6 |
>> grsecurity-hardened-chrooted VMware application (with root |
7 |
>> privileges, |
8 |
>> that uses at least some of the host's kernel) or a |
9 |
>> grsecurity-hardened-chrooted program with no privilege and only the |
10 |
>> additional executables necessary to keep it running. |
11 |
>> |
12 |
>> And if the answer is yes, are you significantly safer? |
13 |
>> |
14 |
>> In one sense there'd be a thicker layer between the host and |
15 |
>> the server, |
16 |
>> but in another sense the added complexity and root host |
17 |
>> privilege may add |
18 |
>> vulnerabilities? |
19 |
>> |
20 |
>> (Sorry if this is foolish...... the answer seems less than obvious) |
21 |
> |
22 |
> Well, let's say the uberhackers crack your box and rm -r /*. How much is |
23 |
> your time worth rebuilding from scratch? If the VM has been cloned, you |
24 |
> just |
25 |
> restart with the old VM. Takes about 12 seconds. |
26 |
> |
27 |
> Within that VM, you still have the option to run a hardened kernel or |
28 |
> just |
29 |
> chroot your services. |
30 |
> |
31 |
> The security angle is still a function of the inherent security of the |
32 |
> service. If your creaky FTP server hasn't been patched in two years, |
33 |
> that's |
34 |
> probably the weakest link. If the OS affords a buffer overrun to occur, |
35 |
> that's a more generic solution to ANY process on the system. Finally, |
36 |
> it's a |
37 |
> probability calculation between these factors. If your service is widely |
38 |
> accessible, it's going to get hit more often than a protected one. |
39 |
> |
40 |
> At the ultimate step, the uberhackers 0wn your box. Will they be able to |
41 |
> crack their way out of a process that provides them their OS? It's easy |
42 |
> to |
43 |
> detect that you're living inside a VMWare VM, but why would you care? |
44 |
> Why is |
45 |
> the REAL OS any better? |
46 |
|
47 |
THANK YOU for replying....... I'm over my head here. |
48 |
|
49 |
So as a case in point, consider Snort and presume that it has a backdoor |
50 |
(no overflow required)... |
51 |
|
52 |
I run it as user snort which is unprivileged and does one thing - runs |
53 |
snort in a hardened jail. |
54 |
|
55 |
/jail/snort/bin contains: |
56 |
|
57 |
total 1704 |
58 |
drwxr-xr-x 2 root root 4096 Sep 3 16:06 ./ |
59 |
drwxr-xr-x 10 root root 4096 Sep 3 16:06 ../ |
60 |
-rwxr-xr-x 1 root root 861372 Sep 3 16:06 bash* |
61 |
-rwxr-xr-x 1 root root 861372 Sep 3 16:06 sh* |
62 |
|
63 |
There is no root user or group defined within the jail. So IIUC, to do |
64 |
what you suggested, he would use a backdoor to get to sh from snort, and |
65 |
then change to user root, assume root privilege, break out of the jail, |
66 |
and then be free to run rm? (presuming also that RBAC would allow root to |
67 |
rm the box). |
68 |
|
69 |
OTOH, if I ran Snort within a VM (within a hardened jail), my jail would |
70 |
be running VM with root privileges, and if he cracked the VM, he'd already |
71 |
have root privileges? |
72 |
|
73 |
So I guess we're presuming that the risk of running VMWARE with user |
74 |
"root" is more than compensated for by the robustness of the VMware player? |
75 |
|
76 |
The other question has to do with VMware server vs player. I'd guess that |
77 |
one constructs his "appliance" with the server, and then plays it with the |
78 |
(smaller) player? |
79 |
|
80 |
TIA, Newbie |
81 |
|
82 |
-- |
83 |
gentoo-hardened@g.o mailing list |