Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: chroot useful?

Re: chroot useful?

From: Anton J Aylward <anton_at_toronto.com>
Date: Mon, 17 Nov 1997 07:03:37 -0500

At 09:29 PM 16/11/97 +0000, Steven M. Bellovin wrote:
## Reply Start ##

>As for the other suggestions that you and others have made for locking down
>a UNIX-flavored system: many of these have the right flavor. All of them
>involve making complex decisions, such as the resolv.conf dependency
>mentioned by Marcus. And you might miss something -- there are lots of
>system calls these days, and the interactions are complex. Or there might
>be other flaws in the environment passed to the application, such as open
>file descriptors.

UNIX certainly has grown complex since I first worked on the V6 kernel.
I'm not sure a lot of that complexity can be justified other than by
the marketing types, but that's a separate issue.

My suggestion to go for the syscall table, which Marcus supplied
file name info for in another posting, is one way I wold try
to address this. We've inherited a mess of spaghetti, in that
most of us would never design an OS this involved from the point
of view of a functional specification. But we've been grandfathered.
At lest when hardening a kernel for a firewall we can broadly say
"we don't need that here".

A table driven approach, I have found, localizes the decision points
and - to some degree - simplifies the maintainability for those who
come after.

As for passing file descriptors..... how else would I be able to
run smap ;-)

>I like chroot() for file restrictions because both the concept and the
>implementation are very simple. Securing an execution environment is far
>more complex, and hence far harder to get right. At that, I'll note that
>the original public release of chroot() itself was insecure, and that even
>today there is still the subtle relationship between working directory and
>root.

Onionskin.
Without a clean sheet I doubt we'd be able to do EVERYTHING in one
operation.

Thw CWD/ROOTDIR relationship problem can be overcome. The issue
to my mind is that no-one thought this thru beforehand, and no spec
of the 'side effects' was considered. Yes, you could FORCE a chdir()
to the new root, but somewhere, just like closing file descriptors
on daemons and moving them off mounted file systems and all that,
its the responsibility for the application programmer. Sigh.

/anton

>
## Reply End ##
--------------------------------------------------------------------------
Anton J Aylward | "Quality refers to the extent to which
The Strahn & Strachan Group Inc | processes, products, services, and
Information Security Consultants | relationships are free from defects,
Voice: (416) 421-8182 | constraints and items which do not add
  Fax: (416) 421-8183 | value." - Dr. Mildred G Pryor, 1995
Received on Nov 17 1997

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos