1 |
Hi once more, |
2 |
|
3 |
On 10/10/06, Miguel Figueiredo Mascarenhas Sousa Filipe |
4 |
<miguel.filipe@×××××.com> wrote: |
5 |
> Hi again, |
6 |
> |
7 |
> On 10/8/06, Daniel Black <dragonheart@g.o> wrote: |
8 |
> > On Friday 06 October 2006 01:07, Miguel Figueiredo Mascarenhas Sousa Filipe |
9 |
> > wrote: |
10 |
> > > Hi all, |
11 |
> > > |
12 |
> > > What do you guys think of: |
13 |
> > > |
14 |
> > > - reduce the number of setuid to the maximum |
15 |
> > > - reduce the number of daemons running has root. |
16 |
> > |
17 |
> > Sounds good. |
18 |
> |
19 |
> Okay, in that case I will now work a bit on my suggestions and then I will |
20 |
> post a reply detailing: |
21 |
|
22 |
Purpose: |
23 |
Provide safe defaults, apply the least privilege principle, and |
24 |
introduce privilege separation where possible. |
25 |
|
26 |
|
27 |
Okay, I took a stab at: |
28 |
- sysklogd [1] |
29 |
which was far too easy since gentoo already had the patches I need: |
30 |
/usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-klogd-drop-root.diff |
31 |
/usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-bind.diff |
32 |
/usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-drop-root.diff |
33 |
|
34 |
The objective is to make sysklogd run without root privileges |
35 |
that implies running: |
36 |
klogd with user: klog, and chroot it in /var/empty (for instance..) |
37 |
syslogd with user syslog |
38 |
|
39 |
to do that, we must create the respective users. |
40 |
Change all files to which syslogd writes (log files) writable by |
41 |
syslog. I did this by changing the ownership of these files to the |
42 |
"syslog" user |
43 |
|
44 |
Also, in /etc/conf.d/sysklogd we must add the following arguments to |
45 |
each daemon: |
46 |
klogd: -u klogd -j /var/empty |
47 |
syslogd: -u syslog |
48 |
|
49 |
|
50 |
I also took a stab at: |
51 |
- syslog-ng [2] |
52 |
for syslog-ng, the aplication allready supports running has a |
53 |
unprivileged user, and chrooted. |
54 |
from the man page: |
55 |
syslog-ng [ -C <chroot-dir> ] [ -u <user> ] [ -g <group> ] |
56 |
|
57 |
the only needed thing is to change /etc/init.d/syslog-ng to read some |
58 |
config file for syslog-ng (/etc/conf.d/syslog-ng would be nice) and |
59 |
set there this arguments. |
60 |
|
61 |
One should say that the privilege revocation on syslog-ng doesn't look |
62 |
has solid has for sysklogd. The man page refers that will (not) work |
63 |
depending on several conditions... |
64 |
|
65 |
And that's it. |
66 |
|
67 |
Bugs reported: |
68 |
[1] sysklog: http://bugs.gentoo.org/show_bug.cgi?id=150845 |
69 |
[2] syslog-ng: http://bugs.gentoo.org/show_bug.cgi?id=150844 |
70 |
|
71 |
|
72 |
> - purpose |
73 |
> - targeted aplications (bugs will be opened) |
74 |
> - sysklogd |
75 |
> - dhcp3 (dhclient and dhcpd) |
76 |
> - vixie-cron |
77 |
> - the apps that are setuids because of /etc/shadow.. (I'll have to |
78 |
> dig more on this) |
79 |
> - (not shure, some nfs/rcp apps) |
80 |
> - modifications needed |
81 |
> - their impact in increasing security, by reducing the number of |
82 |
> setuids or root running daemons. |
83 |
> - their impact on aplication maintenance, system maintenance/administration. |
84 |
> |
85 |
> > |
86 |
> > > has example, openbsd and openwall (among others) both try to have sane |
87 |
> > > setuids and setguids for things like: |
88 |
> > > - cron/at service |
89 |
> > > - syslog and klogd |
90 |
> > > - passwd (on openwall, not shure about openbsd) |
91 |
> > > and much more.. |
92 |
> > > |
93 |
> > > those are the things I miss most, a sane default filesystem system |
94 |
> > > permissions and a lot of services that can be running without root |
95 |
> > > privileges.. |
96 |
> > > |
97 |
> > > One interesting Idea would be to use the /etc/shadow replacement that |
98 |
> > > is present in openwall |
99 |
> > |
100 |
> > Not something I've looked at. Could you describe this a bit more? |
101 |
> |
102 |
> I will, in the meantime, let me just point out to the "homepage" of |
103 |
> the "project": |
104 |
> http://www.openwall.com/tcb/ |
105 |
> slide show info starting here: |
106 |
> http://www.openwall.com/presentations/Owl/mgp00020.html |
107 |
> |
108 |
> > |
109 |
> > > anyone knows if any of these things/ideas is being followed, if so, |
110 |
> > > were can I find pointers to it? |
111 |
> > |
112 |
> > for the suid/daemons its generally up to each package maintainer. |
113 |
> > |
114 |
> > What I'd suggest is to put in a bug report on how to make each package not |
115 |
> > suid or root daemon. |
116 |
> |
117 |
> I will open bugs to the "affected" aplications, and submit patches |
118 |
> there, if needed. |
119 |
> |
120 |
> > |
121 |
> > Also look for a place in the gentoo documentation to put these desireable |
122 |
> > qualities and put some suggested text. |
123 |
> |
124 |
> Okay. |
125 |
> |
126 |
> |
127 |
> Much of the focus will be in complementing gentoo-hardened with the |
128 |
> hardening of specific frequently used subsystems (cron , sysloging, |
129 |
> shadow related apps/setuids, dhcp ). |
130 |
> By providing ways to remove their dependency in the root user for |
131 |
> their correct operation. |
132 |
> It is a bit "gentoo-hardened" oriented, because mantaining "hardened" |
133 |
> patches for some aplications might be something their mantainers are |
134 |
> unwilling to do. |
135 |
> So, this will also serve to assess the interest of the gentoo-hardened |
136 |
> comunity in this proposals. |
137 |
> |
138 |
> |
139 |
> Best regards, |
140 |
> |
141 |
> -- |
142 |
> Miguel Sousa Filipe |
143 |
> |
144 |
|
145 |
|
146 |
-- |
147 |
Miguel Sousa Filipe |
148 |
-- |
149 |
gentoo-hardened@g.o mailing list |