| 1 |
Hi once more, |
| 2 |
|
| 3 |
On 10/10/06, Miguel Figueiredo Mascarenhas Sousa Filipe |
| 4 |
<miguel.filipe@×××××.com> wrote: |
| 5 |
> Hi again, |
| 6 |
> |
| 7 |
> On 10/8/06, Daniel Black <dragonheart@g.o> wrote: |
| 8 |
> > On Friday 06 October 2006 01:07, Miguel Figueiredo Mascarenhas Sousa Filipe |
| 9 |
> > wrote: |
| 10 |
> > > Hi all, |
| 11 |
> > > |
| 12 |
> > > What do you guys think of: |
| 13 |
> > > |
| 14 |
> > > - reduce the number of setuid to the maximum |
| 15 |
> > > - reduce the number of daemons running has root. |
| 16 |
> > |
| 17 |
> > Sounds good. |
| 18 |
> |
| 19 |
> Okay, in that case I will now work a bit on my suggestions and then I will |
| 20 |
> post a reply detailing: |
| 21 |
|
| 22 |
Purpose: |
| 23 |
Provide safe defaults, apply the least privilege principle, and |
| 24 |
introduce privilege separation where possible. |
| 25 |
|
| 26 |
|
| 27 |
Okay, I took a stab at: |
| 28 |
- sysklogd [1] |
| 29 |
which was far too easy since gentoo already had the patches I need: |
| 30 |
/usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-klogd-drop-root.diff |
| 31 |
/usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-bind.diff |
| 32 |
/usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-drop-root.diff |
| 33 |
|
| 34 |
The objective is to make sysklogd run without root privileges |
| 35 |
that implies running: |
| 36 |
klogd with user: klog, and chroot it in /var/empty (for instance..) |
| 37 |
syslogd with user syslog |
| 38 |
|
| 39 |
to do that, we must create the respective users. |
| 40 |
Change all files to which syslogd writes (log files) writable by |
| 41 |
syslog. I did this by changing the ownership of these files to the |
| 42 |
"syslog" user |
| 43 |
|
| 44 |
Also, in /etc/conf.d/sysklogd we must add the following arguments to |
| 45 |
each daemon: |
| 46 |
klogd: -u klogd -j /var/empty |
| 47 |
syslogd: -u syslog |
| 48 |
|
| 49 |
|
| 50 |
I also took a stab at: |
| 51 |
- syslog-ng [2] |
| 52 |
for syslog-ng, the aplication allready supports running has a |
| 53 |
unprivileged user, and chrooted. |
| 54 |
from the man page: |
| 55 |
syslog-ng [ -C <chroot-dir> ] [ -u <user> ] [ -g <group> ] |
| 56 |
|
| 57 |
the only needed thing is to change /etc/init.d/syslog-ng to read some |
| 58 |
config file for syslog-ng (/etc/conf.d/syslog-ng would be nice) and |
| 59 |
set there this arguments. |
| 60 |
|
| 61 |
One should say that the privilege revocation on syslog-ng doesn't look |
| 62 |
has solid has for sysklogd. The man page refers that will (not) work |
| 63 |
depending on several conditions... |
| 64 |
|
| 65 |
And that's it. |
| 66 |
|
| 67 |
Bugs reported: |
| 68 |
[1] sysklog: http://bugs.gentoo.org/show_bug.cgi?id=150845 |
| 69 |
[2] syslog-ng: http://bugs.gentoo.org/show_bug.cgi?id=150844 |
| 70 |
|
| 71 |
|
| 72 |
> - purpose |
| 73 |
> - targeted aplications (bugs will be opened) |
| 74 |
> - sysklogd |
| 75 |
> - dhcp3 (dhclient and dhcpd) |
| 76 |
> - vixie-cron |
| 77 |
> - the apps that are setuids because of /etc/shadow.. (I'll have to |
| 78 |
> dig more on this) |
| 79 |
> - (not shure, some nfs/rcp apps) |
| 80 |
> - modifications needed |
| 81 |
> - their impact in increasing security, by reducing the number of |
| 82 |
> setuids or root running daemons. |
| 83 |
> - their impact on aplication maintenance, system maintenance/administration. |
| 84 |
> |
| 85 |
> > |
| 86 |
> > > has example, openbsd and openwall (among others) both try to have sane |
| 87 |
> > > setuids and setguids for things like: |
| 88 |
> > > - cron/at service |
| 89 |
> > > - syslog and klogd |
| 90 |
> > > - passwd (on openwall, not shure about openbsd) |
| 91 |
> > > and much more.. |
| 92 |
> > > |
| 93 |
> > > those are the things I miss most, a sane default filesystem system |
| 94 |
> > > permissions and a lot of services that can be running without root |
| 95 |
> > > privileges.. |
| 96 |
> > > |
| 97 |
> > > One interesting Idea would be to use the /etc/shadow replacement that |
| 98 |
> > > is present in openwall |
| 99 |
> > |
| 100 |
> > Not something I've looked at. Could you describe this a bit more? |
| 101 |
> |
| 102 |
> I will, in the meantime, let me just point out to the "homepage" of |
| 103 |
> the "project": |
| 104 |
> http://www.openwall.com/tcb/ |
| 105 |
> slide show info starting here: |
| 106 |
> http://www.openwall.com/presentations/Owl/mgp00020.html |
| 107 |
> |
| 108 |
> > |
| 109 |
> > > anyone knows if any of these things/ideas is being followed, if so, |
| 110 |
> > > were can I find pointers to it? |
| 111 |
> > |
| 112 |
> > for the suid/daemons its generally up to each package maintainer. |
| 113 |
> > |
| 114 |
> > What I'd suggest is to put in a bug report on how to make each package not |
| 115 |
> > suid or root daemon. |
| 116 |
> |
| 117 |
> I will open bugs to the "affected" aplications, and submit patches |
| 118 |
> there, if needed. |
| 119 |
> |
| 120 |
> > |
| 121 |
> > Also look for a place in the gentoo documentation to put these desireable |
| 122 |
> > qualities and put some suggested text. |
| 123 |
> |
| 124 |
> Okay. |
| 125 |
> |
| 126 |
> |
| 127 |
> Much of the focus will be in complementing gentoo-hardened with the |
| 128 |
> hardening of specific frequently used subsystems (cron , sysloging, |
| 129 |
> shadow related apps/setuids, dhcp ). |
| 130 |
> By providing ways to remove their dependency in the root user for |
| 131 |
> their correct operation. |
| 132 |
> It is a bit "gentoo-hardened" oriented, because mantaining "hardened" |
| 133 |
> patches for some aplications might be something their mantainers are |
| 134 |
> unwilling to do. |
| 135 |
> So, this will also serve to assess the interest of the gentoo-hardened |
| 136 |
> comunity in this proposals. |
| 137 |
> |
| 138 |
> |
| 139 |
> Best regards, |
| 140 |
> |
| 141 |
> -- |
| 142 |
> Miguel Sousa Filipe |
| 143 |
> |
| 144 |
|
| 145 |
|
| 146 |
-- |
| 147 |
Miguel Sousa Filipe |
| 148 |
-- |
| 149 |
gentoo-security@g.o mailing list |
Archives