[lug] preventing malicious scripts

D. Stimits stimits at idcomm.com
Fri Sep 7 17:27:36 MDT 2001


Gus Huber wrote:
> 
> On Fri, Sep 07, 2001 at 03:09:55PM -0600, D. Stimits wrote:
> > One of the good-side notes from the article mentions that several root
> > exploits require access to suid root programs, and the chroot
> > effectively removes that access. So even though root can do nasty
> > things, it becomes harder to gain root. Plus there are all kinds of
> > files that are just no longer available until chroot is broken...a
> > chicken-and-egg thing for the attacker. chroot isn't perfect, but it is
> > a strong aid.
> 
> I agree that chroot is a very effective manner of limiting access.  I am just saying it is necesecary to ensure that the application drops root privelages immediatly after issuing the chroot();  Most of the attacks described are kernel specific where you as root would create a kenrel memory device ( and in os's where memory access is denied the attacker would be SOL - see the secure levels in freebsd for an example of this ).  Once the attacker has access to all memory in the machine the attack is trivial.. I have seen packages that do it, none which were ever publicly release however.  It is true you would not be dealing with your every day script kiddies, but presuming they got that far in the first place they probabaly have half a brain enought to dig up the information.
> 
> Under FBSD there is a more effective option called a jail, which is like a chroot but also has limited access to all syscalls which require super() privelages.  It also is limited to the ip space bound to the jail.
> 
> Again I would like to make clear that while not foolproof, chroot is an extremely effective tool for hardening security on your out of the box systems.  if you are looking for much more security I suggest investigating trusted unix operating systems such as Argus Systems trusted solaris, and any os's which impliment Mandatory Access Control.

The NSA version of Linux (http://www.nsa.gov/selinux/) has MDA
(Mandatory Access Control), which would make an interesting gateway,
router, firewall, or web server. Filesystems such as XFS support
extended filesystem control (ACL's, Access Control List), which aren't
so great by themselves, but could add to systems with MDA. The nice
thing about chroot (and as you mention, especially if you drop all root
priv after the chroot) is that it does not require modifying the kernel
or filesystem, asside from duplicating the portions you need within the
chroot directory.

D. Stimits, stimits at idcomm.com

> 
> Also of interest is libcap for linux.  it takes advantage of the capabilities in linux which allow you to fine tune privelages processes have with a non-root uid.. you can allow a proces for example to only have the root-like capability to bind to raw sockets and nothing else... it is a very effective way to limit access...
> 
>         cheers,
>                 gus huber <gus at pbx.org>
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list