1 |
He always could keep running X-window and his window manager (both) in |
2 |
a chrooted environment, he just protect extremely /dev/mem. Maybe he |
3 |
would not need /proc filesystem. If security is important why don't |
4 |
keep running the Xserver isolated (in a virtualbox for example and |
5 |
hardened with rsbac) and remote users get logged in with xnest through |
6 |
a ssl tunnel?. With those you get your untrusted users isolated from |
7 |
main system. |
8 |
|
9 |
In my opinion getting X-window running is bad in security concerns, by |
10 |
this reasons: |
11 |
- First: PaX should be disable in mprotect terms since Xorg needs it |
12 |
(with it refuse to run) . |
13 |
- Second: Access to /dev/mem have to be granted and get in mind that |
14 |
CAP_SYS_RAWIO capability (between others) too, for this reason, one |
15 |
bug in Xserver will give all control to the attacker (and keep in mind |
16 |
that with access to /dev/mem all Selinux, rsbac and grsecurity |
17 |
policies are wasted efforts). Since mprotect protections have to be |
18 |
disabled pax could not protect you. |
19 |
- Third: You must assure the access to the display, to make a |
20 |
keylogger in x-window is easy if there is posibility to connect |
21 |
untrusted clients to it. |
22 |
|
23 |
2008/11/25 RB <aoz.syn@×××××.com>: |
24 |
> On Tue, Nov 25, 2008 at 08:00, Jan Klod <janklodvan@×××××.com> wrote: |
25 |
>> Suppose, I want to take some extra precautions and set up PaX&co and MAC on a |
26 |
>> workstation with Xorg and other nice KDE apps (only some of which should be |
27 |
>> granted access to files in folder X). I would like to read others opinion, if |
28 |
>> I can get considerable security improvements or I will have to make that much |
29 |
>> of exceptions to those good rules, as it makes protection too useless? |
30 |
> |
31 |
> KDE (and to a lesser extent X) pretty much nullifies most application |
32 |
> isolation efforts you're going to make. Even if you ran each |
33 |
> application under a dedicated user and in its own chroot environment, |
34 |
> the GUI provides IPC facilites that will readily bypass all your hard |
35 |
> effort. As with your other email, clicking a link in one app opens a |
36 |
> browser window in another, regardless of what user separation you |
37 |
> might have - KDE does this under the covers, since it's what most |
38 |
> users would actually want, but you perceive it as a security breach. |