From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 04:19:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB69A16A415 for ; Wed, 8 Nov 2006 04:19:45 +0000 (UTC) (envelope-from wes@opensail.org) Received: from softweyr.homeunix.net (cpe-24-161-160-202.san.res.rr.com [24.161.160.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8096843D53 for ; Wed, 8 Nov 2006 04:19:43 +0000 (GMT) (envelope-from wes@opensail.org) Received: from [204.68.178.34] (gulliver.softweyr.com [204.68.178.34]) (authenticated bits=0) by softweyr.homeunix.net (8.13.6/8.13.6) with ESMTP id kA84JeKC017973 for ; Tue, 7 Nov 2006 20:19:42 -0800 (PST) (envelope-from wes@opensail.org) Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <20061104163000.30D2516A7A6@hub.freebsd.org> References: <20061104163000.30D2516A7A6@hub.freebsd.org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <0C344F30-40A1-4B08-A1C7-3F8CD536244D@opensail.org> Content-Transfer-Encoding: 7bit From: Wes Peters Date: Tue, 7 Nov 2006 20:19:40 -0800 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.752.2) X-Scanned-By: MIMEDefang 2.57 on 204.68.178.2 Subject: Re: freebsd-security Digest, Vol 184, Issue 2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 04:19:45 -0000 On Nov 4, 2006, at 8:30 AM, Wesley Shields wrote: > > On Fri, Nov 03, 2006 at 07:54:59AM -0800, Ricardo A. Reis wrote: > [...] >> In the II COLARIS - Joanna Rutkowska alert the possible >> new technology of Malware's using hardware virtualization, present >> in AMD and INTEL new processor. >> >> I've two questions ... >> >> 1) How is possible detect if my system is moved inside a VM on the >> fly ? > > She has discussed various solutions for this problem, and why she > believes they may or may not work. The one most people suggest is to > time how long it takes for various instructions to run, but this > can be > tricked by the VMM-rootkit. I'd suggest reading: > > http://theinvisiblethings.blogspot.com/2006/08/blue-pill- > detection.html One thing that leaps immediately to mind is a startup check to see if this 'dmesg.boot' differs from the previous one. Rather than overwriting the previous one, move it to a backup, create the new one, and log something if they differ. I hacked this up in a couple of minutes: --- /etc/rc.d/dmesg Sat May 6 21:00:26 2006 +++ dmesg Tue Nov 7 20:17:47 2006 @@ -19,8 +19,10 @@ do_dmesg() { - rm -f ${dmesg_file} + mv -f ${dmesg_file} ${dmesg_file}.prev ( umask 022 ; /sbin/dmesg $rc_flags > ${dmesg_file} ) + cmp -s ${dmesg_file} ${dmesg_file}.prev || \ + logger -p security.warn 'dmesg.boot changed from previous boot' } load_rc_config $name If you like that, I'm willing to discuss it further, and/or commit it and let the howling tell if it's a keeper or not. ;^) -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 07:28:19 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDC9516A403 for ; Wed, 8 Nov 2006 07:28:19 +0000 (UTC) (envelope-from wes@opensail.org) Received: from softweyr.homeunix.net (cpe-24-161-160-202.san.res.rr.com [24.161.160.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FEA543D45 for ; Wed, 8 Nov 2006 07:28:19 +0000 (GMT) (envelope-from wes@opensail.org) Received: from [204.68.178.34] (gulliver.softweyr.com [204.68.178.34]) (authenticated bits=0) by softweyr.homeunix.net (8.13.6/8.13.6) with ESMTP id kA87SHDU037718; Tue, 7 Nov 2006 23:28:18 -0800 (PST) (envelope-from wes@opensail.org) In-Reply-To: <20061108082233.agry96udb4k0sckk@webmail.leidinger.net> References: <20061104163000.30D2516A7A6@hub.freebsd.org> <0C344F30-40A1-4B08-A1C7-3F8CD536244D@opensail.org> <20061108082233.agry96udb4k0sckk@webmail.leidinger.net> Mime-Version: 1.0 (Apple Message framework v752.2) X-Priority: 3 (Normal) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <1794F6F9-3F65-4771-ACF6-23D00101B72D@opensail.org> Content-Transfer-Encoding: 7bit From: Wes Peters Date: Tue, 7 Nov 2006 23:28:15 -0800 To: Alexander Leidinger X-Mailer: Apple Mail (2.752.2) X-Scanned-By: MIMEDefang 2.57 on 204.68.178.2 Cc: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 184, Issue 2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 07:28:20 -0000 On Nov 7, 2006, at 11:22 PM, Alexander Leidinger wrote: > Quoting Wes Peters (from Tue, 7 Nov 2006 > 20:19:40 -0800): > >> --- /etc/rc.d/dmesg Sat May 6 21:00:26 2006 >> +++ dmesg Tue Nov 7 20:17:47 2006 >> @@ -19,8 +19,10 @@ >> do_dmesg() >> { >> - rm -f ${dmesg_file} >> + mv -f ${dmesg_file} ${dmesg_file}.prev >> ( umask 022 ; /sbin/dmesg $rc_flags > ${dmesg_file} ) >> + cmp -s ${dmesg_file} ${dmesg_file}.prev || \ >> + logger -p security.warn 'dmesg.boot changed from >> previous boot' >> } >> load_rc_config $name >> >> >> If you like that, I'm willing to discuss it further, and/or commit it >> and let the howling tell if it's a keeper or not. ;^) > > Did you try this? I didn't, but I would expect to see this message > _every time_ (because of minor timecounter rate changes). Yes, but only once, and then forced a change by re-running it. Maybe I just got 'lucky.' Feel free to suggest 'better' tests, or parts to throw out of dmesg.boot before the test. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 12:39:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D3A616A403 for ; Wed, 8 Nov 2006 12:39:45 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3686643D5A for ; Wed, 8 Nov 2006 12:39:44 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by nz-out-0102.google.com with SMTP id o37so1288746nzf for ; Wed, 08 Nov 2006 04:39:43 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=qp1rWNoohsWcHAdYk8LEWAlAuOimwI3ReYBmI+Q5jNNRD01YFg9T3r55tiVWiTmnErb/tzT9x5lnwVWXGhH4OZsQ+p0AQ1WQG58DQG4uIGVm64ymOdCIrC25FNKqaYm8QpAY89Sr9TKOu4lrwtKHKaDMY2Am+bwwrAR/OvlJItU= Received: by 10.64.253.12 with SMTP id a12mr9762230qbi.1162989583005; Wed, 08 Nov 2006 04:39:43 -0800 (PST) Received: by 10.65.237.20 with HTTP; Wed, 8 Nov 2006 04:39:42 -0800 (PST) Message-ID: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> Date: Wed, 8 Nov 2006 12:39:42 +0000 From: "mal content" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 12:39:45 -0000 Hi. This is mostly hypothetical, just because I want to see how knowledgeable people would go about achieving it: I want to sandbox Mozilla Firefox. For the sake of example, I'm running it under my own user account. The idea is that it should be allowed to connect to the X server, it should be allowed to write to ~/.mozilla and /tmp. I expect some configurations would want access to audio devices in /dev, but for simplicity, that's ignored here. All other filesystem access is denied. Ready... Go! MC From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 12:41:55 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EF2F16A412 for ; Wed, 8 Nov 2006 12:41:55 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 033F343D49 for ; Wed, 8 Nov 2006 12:41:54 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by wr-out-0506.google.com with SMTP id 71so451151wri for ; Wed, 08 Nov 2006 04:41:54 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=T/9HOShrTL1XnbI/tsl3bY7bDoTwv3ETaKBaj9oIvBPAMkvMWikYjQuE5tMdo5ivbw48my9afF71jA0yBVb4S7SLYGso9WWyenAC4YHkbx1PBT1OTAFIZDuL6gHnbWeJqrH1IaGn+Yor5aTxMsmLJ9FpkZST8ehHz6c30p47KXw= Received: by 10.65.20.15 with SMTP id x15mr12082638qbi.1162989712790; Wed, 08 Nov 2006 04:41:52 -0800 (PST) Received: by 10.65.237.20 with HTTP; Wed, 8 Nov 2006 04:41:52 -0800 (PST) Message-ID: <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> Date: Wed, 8 Nov 2006 12:41:52 +0000 From: "mal content" To: freebsd-security@freebsd.org In-Reply-To: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 12:41:55 -0000 On 08/11/06, mal content wrote: > Hi. > > This is mostly hypothetical, just because I want to see how knowledgeable > people would go about achieving it: > > I want to sandbox Mozilla Firefox. For the sake of example, I'm running it > under my own user account. The idea is that it should be allowed to > connect to the X server, it should be allowed to write to ~/.mozilla and > /tmp. > > I expect some configurations would want access to audio devices in > /dev, but for simplicity, that's ignored here. > > All other filesystem access is denied. > > Ready... > > Go! > > MC > I forgot to add: Use of TrustedBSD extensions is, of course, allowed. From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 07:22:47 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3331716A403 for ; Wed, 8 Nov 2006 07:22:47 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9092C43D46 for ; Wed, 8 Nov 2006 07:22:46 +0000 (GMT) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5FE6A.dip.t-dialin.net [84.165.254.106]) by redbull.bpaserver.net (Postfix) with ESMTP id 21F4C2E21D; Wed, 8 Nov 2006 08:22:42 +0100 (CET) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 46DEB5B4C35; Wed, 8 Nov 2006 08:22:34 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id kA87MXOu045701; Wed, 8 Nov 2006 08:22:33 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Wed, 08 Nov 2006 08:22:33 +0100 Message-ID: <20061108082233.agry96udb4k0sckk@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Wed, 08 Nov 2006 08:22:33 +0100 From: Alexander Leidinger To: Wes Peters References: <20061104163000.30D2516A7A6@hub.freebsd.org> <0C344F30-40A1-4B08-A1C7-3F8CD536244D@opensail.org> In-Reply-To: <0C344F30-40A1-4B08-A1C7-3F8CD536244D@opensail.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.363, required 6, BAYES_00 -2.60, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, J_CHICKENPOX_84 0.60, SMILEY -0.50) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Wed, 08 Nov 2006 12:54:32 +0000 Cc: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 184, Issue 2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 07:22:47 -0000 Quoting Wes Peters (from Tue, 7 Nov 2006 20:19:40 -0800): > --- /etc/rc.d/dmesg Sat May 6 21:00:26 2006 > +++ dmesg Tue Nov 7 20:17:47 2006 > @@ -19,8 +19,10 @@ > do_dmesg() > { > - rm -f ${dmesg_file} > + mv -f ${dmesg_file} ${dmesg_file}.prev > ( umask 022 ; /sbin/dmesg $rc_flags > ${dmesg_file} ) > + cmp -s ${dmesg_file} ${dmesg_file}.prev || \ > + logger -p security.warn 'dmesg.boot changed from > previous boot' > } > load_rc_config $name > > > If you like that, I'm willing to discuss it further, and/or commit it > and let the howling tell if it's a keeper or not. ;^) Did you try this? I didn't, but I would expect to see this message =20 _every time_ (because of minor timecounter rate changes). Bye, Alexander. --=20 In those days he was wiser than he is now -- he used to frequently take my advice. =09=09-- Winston Churchill http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 08:12:30 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C43416A47E for ; Wed, 8 Nov 2006 08:12:30 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A89E43D6D for ; Wed, 8 Nov 2006 08:12:28 +0000 (GMT) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5FE6A.dip.t-dialin.net [84.165.254.106]) by redbull.bpaserver.net (Postfix) with ESMTP id 27A7E2E14B; Wed, 8 Nov 2006 09:12:20 +0100 (CET) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 36ED55B4C35; Wed, 8 Nov 2006 09:12:18 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id kA88CHVg054310; Wed, 8 Nov 2006 09:12:17 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Wed, 08 Nov 2006 09:12:17 +0100 Message-ID: <20061108091217.62b3er5uyogs4wkw@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Wed, 08 Nov 2006 09:12:17 +0100 From: Alexander Leidinger To: Wes Peters References: <20061104163000.30D2516A7A6@hub.freebsd.org> <0C344F30-40A1-4B08-A1C7-3F8CD536244D@opensail.org> <20061108082233.agry96udb4k0sckk@webmail.leidinger.net> <1794F6F9-3F65-4771-ACF6-23D00101B72D@opensail.org> In-Reply-To: <1794F6F9-3F65-4771-ACF6-23D00101B72D@opensail.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.763, required 6, BAYES_00 -2.60, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, J_CHICKENPOX_54 0.60, J_CHICKENPOX_84 0.60, SMILEY -0.50) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Wed, 08 Nov 2006 12:54:42 +0000 Cc: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 184, Issue 2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 08:12:30 -0000 Quoting Wes Peters (from Tue, 7 Nov 2006 23:28:15 -0800): > > On Nov 7, 2006, at 11:22 PM, Alexander Leidinger wrote: > >> Quoting Wes Peters (from Tue, 7 Nov 2006 20:19:40 -080= 0): >> >>> --- /etc/rc.d/dmesg Sat May 6 21:00:26 2006 >>> +++ dmesg Tue Nov 7 20:17:47 2006 >>> @@ -19,8 +19,10 @@ >>> do_dmesg() >>> { >>> - rm -f ${dmesg_file} >>> + mv -f ${dmesg_file} ${dmesg_file}.prev >>> ( umask 022 ; /sbin/dmesg $rc_flags > ${dmesg_file} ) >>> + cmp -s ${dmesg_file} ${dmesg_file}.prev || \ >>> + logger -p security.warn 'dmesg.boot changed from >>> previous boot' >>> } >>> load_rc_config $name >>> >>> >>> If you like that, I'm willing to discuss it further, and/or commit it >>> and let the howling tell if it's a keeper or not. ;^) >> >> Did you try this? I didn't, but I would expect to see this message =20 >> _every time_ (because of minor timecounter rate changes). > > Yes, but only once, and then forced a change by re-running it. Maybe I > just got 'lucky.' Feel free to suggest 'better' tests, or parts to > throw out of dmesg.boot before the test. The ACPI-fast, ACPI-safe, TSC and i8xxx timecounter frequency needs to =20 be removed IMO. Sometimes I also see a very small change in the probe =20 order... but I don't remember exacly what's changing and what's =20 causing it. Bye, Alexander. --=20 The days are all empty and the nights are unreal. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 14:08:04 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D37816A415 for ; Wed, 8 Nov 2006 14:08:04 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from mail6.sea5.speakeasy.net (mail6.sea5.speakeasy.net [69.17.117.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 086F343D46 for ; Wed, 8 Nov 2006 14:08:03 +0000 (GMT) (envelope-from freebsd-security-local@be-well.ilk.org) Received: (qmail 27022 invoked from network); 8 Nov 2006 14:08:03 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail6.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 8 Nov 2006 14:08:03 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id ABA8628433; Wed, 8 Nov 2006 09:08:02 -0500 (EST) To: "mal content" References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> From: Lowell Gilbert Date: Wed, 08 Nov 2006 09:08:02 -0500 In-Reply-To: <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> (mal content's message of "Wed, 8 Nov 2006 12:41:52 +0000") Message-ID: <44irhq6ngd.fsf@be-well.ilk.org> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security@freebsd.org Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 14:08:04 -0000 "mal content" writes: > On 08/11/06, mal content wrote: >> Hi. >> >> This is mostly hypothetical, just because I want to see how knowledgeable >> people would go about achieving it: >> >> I want to sandbox Mozilla Firefox. For the sake of example, I'm running it >> under my own user account. The idea is that it should be allowed to >> connect to the X server, it should be allowed to write to ~/.mozilla and >> /tmp. >> >> I expect some configurations would want access to audio devices in >> /dev, but for simplicity, that's ignored here. >> >> All other filesystem access is denied. >> >> Ready... >> >> Go! >> >> MC >> > > I forgot to add: Use of TrustedBSD extensions is, of course, allowed. Putting an X Windows application in a sandbox is kind of silly. After all, X has to have direct access to memory. A virtual machine approach, with a whole virtual set of memory, might make more sense. I use that (via qemu), although not for exactly the same reasons. From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 14:14:06 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06F0516A4C2; Wed, 8 Nov 2006 14:14:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8EA2543DB4; Wed, 8 Nov 2006 14:13:57 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kA8EDtj3011914; Wed, 8 Nov 2006 14:13:55 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kA8EDtA7011912; Wed, 8 Nov 2006 14:13:55 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 8 Nov 2006 14:13:55 GMT Message-Id: <200611081413.kA8EDtA7011912@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:24.libarchive X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 14:14:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:24.libarchive Security Advisory The FreeBSD Project Topic: Infinite loop in corrupt archives handling in libarchive(3) Category: core Module: libarchive Announced: 2006-11-08 Credits: Rink Springer Affects: FreeBSD 6-STABLE after 2006-09-05 05:23:51 UTC Corrected: 2006-11-08 14:05:40 UTC (RELENG_6, 6.2-RC1) CVE Name: CVE-2006-5680 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The libarchive library provides a flexible interface for reading and writing streaming archive files such as tar and cpio, and has been the basis for FreeBSD's implementation of the tar(1) utility since FreeBSD 5.3. II. Problem Description If the end of an archive is reached while attempting to "skip" past a region of an archive, libarchive will enter an infinite loop wherein it repeatedly attempts (and fails) to read further data. III. Impact An attacker able to cause a system to extract (via "tar -x" or another application which uses libarchive) or list the contents (via "tar -t" or another libarchive-using application) of an archive provided by the attacker can cause libarchive to enter an infinite loop and use all available CPU time. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to affected systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-06:24/libarchive.patch # fetch http://security.FreeBSD.org/patches/SA-06:24/libarchive.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libarchive # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/lib/libarchive/archive_read_support_compression_none.c 1.6.2.2 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5680 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:24.libarchive.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFUeSvFdaIBMps37IRAug+AKCWT9WdFvuqPZS0o7fp3f9GKd8/aQCfVcQE WODSvmI0ArwZOcWIESQOnIQ= =SDvI -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 14:23:17 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C64E516A492 for ; Wed, 8 Nov 2006 14:23:17 +0000 (UTC) (envelope-from erikt@midgard.homeip.net) Received: from ch-smtp01.sth.basefarm.net (ch-smtp01.sth.basefarm.net [80.76.149.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 316C443D68 for ; Wed, 8 Nov 2006 14:23:13 +0000 (GMT) (envelope-from erikt@midgard.homeip.net) Received: from c83-253-29-241.bredband.comhem.se ([83.253.29.241]:55216 helo=falcon.midgard.homeip.net) by ch-smtp01.sth.basefarm.net with smtp (Exim 4.63) (envelope-from ) id 1GhoKe-0007er-3o for freebsd-security@freebsd.org; Wed, 08 Nov 2006 15:23:12 +0100 Received: (qmail 76514 invoked from network); 8 Nov 2006 15:23:06 +0100 Received: from owl.midgard.homeip.net (10.1.5.7) by falcon.midgard.homeip.net with SMTP; 8 Nov 2006 15:23:06 +0100 Received: (qmail 64741 invoked by uid 1001); 8 Nov 2006 15:23:06 +0100 Date: Wed, 8 Nov 2006 15:23:06 +0100 From: Erik Trulsson To: Lowell Gilbert Message-ID: <20061108142306.GA64711@owl.midgard.homeip.net> Mail-Followup-To: Lowell Gilbert , mal content , freebsd-security@freebsd.org References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> <44irhq6ngd.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44irhq6ngd.fsf@be-well.ilk.org> User-Agent: Mutt/1.5.13 (2006-08-11) X-Scan-Result: No virus found in message 1GhoKe-0007er-3o. X-Scan-Signature: ch-smtp01.sth.basefarm.net 1GhoKe-0007er-3o 5689e50134410c4b3fe3ee10c0263b17 Cc: freebsd-security@freebsd.org, mal content Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 14:23:17 -0000 On Wed, Nov 08, 2006 at 09:08:02AM -0500, Lowell Gilbert wrote: > "mal content" writes: > > > On 08/11/06, mal content wrote: > >> Hi. > >> > >> This is mostly hypothetical, just because I want to see how knowledgeable > >> people would go about achieving it: > >> > >> I want to sandbox Mozilla Firefox. For the sake of example, I'm running it > >> under my own user account. The idea is that it should be allowed to > >> connect to the X server, it should be allowed to write to ~/.mozilla and > >> /tmp. > >> > >> I expect some configurations would want access to audio devices in > >> /dev, but for simplicity, that's ignored here. > >> > >> All other filesystem access is denied. > >> > >> Ready... > >> > >> Go! > >> > >> MC > >> > > > > I forgot to add: Use of TrustedBSD extensions is, of course, allowed. > > Putting an X Windows application in a sandbox is kind of silly. After > all, X has to have direct access to memory. The X *server* needs direct access to memory. X clients (like Firefox or just about any other application using X) does not need direct access to memory. They don't even need to run on the same machine as the X server. > A virtual machine > approach, with a whole virtual set of memory, might make more sense. > I use that (via qemu), although not for exactly the same reasons. -- Erik Trulsson ertr1013@student.uu.se From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 15:36:12 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0718216A415 for ; Wed, 8 Nov 2006 15:36:12 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from rwcrmhc14.comcast.net (rwcrmhc14.comcast.net [216.148.227.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB34A43D45 for ; Wed, 8 Nov 2006 15:36:11 +0000 (GMT) (envelope-from josh@tcbug.org) Received: from gimpy (c-24-118-173-219.hsd1.mn.comcast.net[24.118.173.219]) by comcast.net (rwcrmhc14) with ESMTP id <20061108153611m1400jg7u8e>; Wed, 8 Nov 2006 15:36:11 +0000 From: Josh Paetzel To: freebsd-security@freebsd.org Date: Wed, 8 Nov 2006 10:36:02 -0500 User-Agent: KMail/1.9.3 References: <200611081413.kA8EDtA7011912@freefall.freebsd.org> In-Reply-To: <200611081413.kA8EDtA7011912@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611080936.03101.josh@tcbug.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:24.libarchive X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 15:36:12 -0000 On Wednesday 08 November 2006 08:13, FreeBSD Security Advisories wrote: > =================================================================== >========== FreeBSD-SA-06:24.libarchive > Security Advisory The FreeBSD Project > > Topic: Infinite loop in corrupt archives handling in > libarchive(3) > > Category: core > Module: libarchive > Announced: 2006-11-08 > Credits: Rink Springer > Affects: FreeBSD 6-STABLE after 2006-09-05 05:23:51 UTC > Corrected: 2006-11-08 14:05:40 UTC (RELENG_6, 6.2-RC1) > CVE Name: CVE-2006-5680 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and > the following sections, please visit > . > > I. Background > > The libarchive library provides a flexible interface for reading > and writing streaming archive files such as tar and cpio, and has > been the basis for FreeBSD's implementation of the tar(1) utility > since FreeBSD 5.3. > > II. Problem Description > > If the end of an archive is reached while attempting to "skip" past > a region of an archive, libarchive will enter an infinite loop > wherein it repeatedly attempts (and fails) to read further data. > > III. Impact > > An attacker able to cause a system to extract (via "tar -x" or > another application which uses libarchive) or list the contents > (via "tar -t" or another libarchive-using application) of an > archive provided by the attacker can cause libarchive to enter an > infinite loop and use all available CPU time. > > IV. Workaround > > No workaround is available. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE dated after the > correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to affected > systems. > > a) Download the relevant patch from the location below, and verify > the detached PGP signature using your PGP utility. > > # fetch > http://security.FreeBSD.org/patches/SA-06:24/libarchive.patch # > fetch > http://security.FreeBSD.org/patches/SA-06:24/libarchive.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libarchive > # make obj && make depend && make && make install > > VI. Correction details > > The following list contains the revision numbers of each file that > was corrected in FreeBSD. > > Branch > Revision Path > ------------------------------------------------------------------- >------ RELENG_6 > src/lib/libarchive/archive_read_support_compression_none.c > 1.6.2.2 > ------------------------------------------------------------------- >------ > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5680 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-06:24.libarchive. Maybe this is an obvious question, but libarchive has been in the system since 5.3, but this issue only affects RELENG_6? So anyone tracking RELENG_6_1 isn't affected? -- Thanks, Josh Paetzel From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 16:17:42 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33EEA16A4EA for ; Wed, 8 Nov 2006 16:17:42 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A59243D5F for ; Wed, 8 Nov 2006 16:17:27 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 4E3B778C7B; Wed, 8 Nov 2006 16:16:42 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 2DA9411434; Wed, 8 Nov 2006 17:17:10 +0100 (CET) Date: Wed, 8 Nov 2006 17:17:10 +0100 From: "Simon L. Nielsen" To: Josh Paetzel Message-ID: <20061108161709.GG1303@zaphod.nitro.dk> References: <200611081413.kA8EDtA7011912@freefall.freebsd.org> <200611080936.03101.josh@tcbug.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200611080936.03101.josh@tcbug.org> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:24.libarchive X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 16:17:42 -0000 On 2006.11.08 10:36:02 -0500, Josh Paetzel wrote: > On Wednesday 08 November 2006 08:13, FreeBSD Security Advisories > wrote: > > =================================================================== > >========== FreeBSD-SA-06:24.libarchive > > Security Advisory The FreeBSD Project > > > > Topic: Infinite loop in corrupt archives handling in > > libarchive(3) > > > > Category: core > > Module: libarchive > > Announced: 2006-11-08 > > Credits: Rink Springer > > Affects: FreeBSD 6-STABLE after 2006-09-05 05:23:51 UTC > > Corrected: 2006-11-08 14:05:40 UTC (RELENG_6, 6.2-RC1) > > CVE Name: CVE-2006-5680 > > > > For general information regarding FreeBSD Security Advisories, > > Maybe this is an obvious question, but libarchive has been in the > system since 5.3, but this issue only affects RELENG_6? So anyone > tracking RELENG_6_1 isn't affected? Correct, the bug was introduced after 6.1 was branched. -- Simon L. Nielsen From owner-freebsd-security@FreeBSD.ORG Thu Nov 9 07:59:24 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27B4F16A403 for ; Thu, 9 Nov 2006 07:59:24 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F60943D55 for ; Thu, 9 Nov 2006 07:59:23 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by nz-out-0102.google.com with SMTP id i11so78340nzh for ; Wed, 08 Nov 2006 23:59:22 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=T/v31gPnZWpxeJSqQXe1tgQCoMc1FROm4AtfxLdszAhoFIcuBj2kqn7GySdk/lG+Ng4eS/mzeJaHQKzKsNXfiKuCXGWHbckTQdtTDHvB+WzWsFP+dnaIBXnYV0OrYcEyFdS7tRjxX4F7xUE+uWvLdqtvCHT229SXRPsgIEU0weM= Received: by 10.65.100.14 with SMTP id c14mr769827qbm.1163059162657; Wed, 08 Nov 2006 23:59:22 -0800 (PST) Received: by 10.65.237.20 with HTTP; Wed, 8 Nov 2006 23:59:22 -0800 (PST) Message-ID: <8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com> Date: Thu, 9 Nov 2006 07:59:22 +0000 From: "mal content" To: "Lowell Gilbert" , "mal content" , freebsd-security@freebsd.org In-Reply-To: <20061108142306.GA64711@owl.midgard.homeip.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> <44irhq6ngd.fsf@be-well.ilk.org> <20061108142306.GA64711@owl.midgard.homeip.net> Cc: Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 07:59:24 -0000 So, uh, is that it? Nobody sandboxes on FreeBSD? MC From owner-freebsd-security@FreeBSD.ORG Thu Nov 9 08:17:35 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64B6A16A403 for ; Thu, 9 Nov 2006 08:17:35 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF05043D60 for ; Thu, 9 Nov 2006 08:17:34 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by nz-out-0102.google.com with SMTP id i11so80608nzh for ; Thu, 09 Nov 2006 00:17:34 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kTigXWngosdqcQIG8f7wXj8NLQf6MBSAx9eopKWYhqK668ViVKSGLhO3+pU1qLzGhn05Sm+n30H9kc1sq6bGb25qYilzRQr27EcllNS5NlBva6iOS9ZPs9rlAL5R/Eh78pNfFMv1ZoFwMX/serDebjTg96K13cbDCENOKMB2nhA= Received: by 10.64.151.17 with SMTP id y17mr745485qbd.1163060253989; Thu, 09 Nov 2006 00:17:33 -0800 (PST) Received: by 10.65.237.20 with HTTP; Thu, 9 Nov 2006 00:17:33 -0800 (PST) Message-ID: <8e96a0b90611090017x5375ed18jf3748c685ce8d2a6@mail.gmail.com> Date: Thu, 9 Nov 2006 08:17:33 +0000 From: "mal content" To: "Luke Crawford" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> <44irhq6ngd.fsf@be-well.ilk.org> <20061108142306.GA64711@owl.midgard.homeip.net> <8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com> Cc: Lowell Gilbert , freebsd-security@freebsd.org Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 08:17:35 -0000 On 09/11/06, Luke Crawford wrote: > > > On Thu, 9 Nov 2006, mal content wrote: > > > Nobody sandboxes on FreeBSD? > > > man jail(8) > A full jail is quite extreme, don't you think? Besides, it'd be tricky to allow a jailed program to write to ~/.mozilla and /tmp. MC From owner-freebsd-security@FreeBSD.ORG Thu Nov 9 08:40:35 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E81FD16A412 for ; Thu, 9 Nov 2006 08:40:35 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp.univ-lyon2.fr (smtp.univ-lyon2.fr [159.84.143.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3562D43D49 for ; Thu, 9 Nov 2006 08:40:35 +0000 (GMT) (envelope-from patpro@patpro.net) Received: from localhost (localhost [127.0.0.1]) by smtp.univ-lyon2.fr (Postfix) with ESMTP id EC706EC1954; Thu, 9 Nov 2006 09:40:33 +0100 (CET) X-Virus-Scanned: amavisd-new at univ-lyon2.fr Received: from smtp.univ-lyon2.fr ([127.0.0.1]) by localhost (smtp.univ-lyon2.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZLDNBkRuVG5; Thu, 9 Nov 2006 09:40:32 +0100 (CET) Received: from [159.84.148.59] (patpro.univ-lyon2.fr [159.84.148.59]) by smtp.univ-lyon2.fr (Postfix) with ESMTP id EA4FEEC194C; Thu, 9 Nov 2006 09:40:32 +0100 (CET) In-Reply-To: <8e96a0b90611090017x5375ed18jf3748c685ce8d2a6@mail.gmail.com> References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> <44irhq6ngd.fsf@be-well.ilk.org> <20061108142306.GA64711@owl.midgard.homeip.net> <8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com> <8e96a0b90611090017x5375ed18jf3748c685ce8d2a6@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <37D5C0BC-8103-4117-9FDC-35A074FAAEA4@patpro.net> Content-Transfer-Encoding: 7bit From: Patrick Proniewski Date: Thu, 9 Nov 2006 09:40:53 +0100 To: "mal content" X-Mailer: Apple Mail (2.752.2) Cc: freebsd-security@freebsd.org Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 08:40:36 -0000 On 9 nov. 06, at 09:17, mal content wrote: >> man jail(8) > > A full jail is quite extreme, don't you think? Besides, it'd be > tricky to allow > a jailed program to write to ~/.mozilla and /tmp. a full jail is for beginners ;) You can jail a program with only minimum /dev/ and libs, like it was done with named before FreeBSD choose to chroot by default. Depending on what you want to jail, it can be more or less complicated. May be MAC and ACL is the way to go for you, I don't know. patpro From owner-freebsd-security@FreeBSD.ORG Thu Nov 9 10:23:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DAE816A47C for ; Thu, 9 Nov 2006 10:23:07 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id F258F43D69 for ; Thu, 9 Nov 2006 10:23:00 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by nz-out-0102.google.com with SMTP id i11so98389nzh for ; Thu, 09 Nov 2006 02:23:00 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VsoeiBUfAHQyL086EMBmOAcE4Bqufpap59cEl8JG9bDdx8DgtdhGQhUKz7cj9+yiNdU6NtzjSQj90s6ktF9JZbrhaqAun0jOgwFeqf50uGu1pKQ+RyP/LMryqmmRrBycGNhA3R11UQ3oR9MtQrdWvdAR5GOba29UAdgj79TRfP8= Received: by 10.65.20.15 with SMTP id x15mr888124qbi.1163067780024; Thu, 09 Nov 2006 02:23:00 -0800 (PST) Received: by 10.65.237.20 with HTTP; Thu, 9 Nov 2006 02:22:59 -0800 (PST) Message-ID: <8e96a0b90611090222x5ec3be4bwa5019ed14aaa52a8@mail.gmail.com> Date: Thu, 9 Nov 2006 10:22:59 +0000 From: "mal content" To: "Luke Crawford" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> <44irhq6ngd.fsf@be-well.ilk.org> <20061108142306.GA64711@owl.midgard.homeip.net> <8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com> <8e96a0b90611090017x5375ed18jf3748c685ce8d2a6@mail.gmail.com> Cc: Lowell Gilbert , freebsd-security@freebsd.org Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 10:23:07 -0000 On 09/11/06, Luke Crawford wrote: > jail is the best sandbox FreeBSD has; if that's to heavy, simply run it > setuid to another user that doesn't have permission to anything- it's not > as good of a sandbox, but it's lightweight. > Of course there is another problem with this approach: a different UID isn't allowed to connect to :0.0 on the X server under the FreeBSD default security settings for X. MC From owner-freebsd-security@FreeBSD.ORG Thu Nov 9 08:07:16 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1667E16A4D0 for ; Thu, 9 Nov 2006 08:07:16 +0000 (UTC) (envelope-from lsc@prgmr.com) Received: from luke.xen.prgmr.com (luke.xen.prgmr.com [38.99.2.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80DC443D7B for ; Thu, 9 Nov 2006 08:07:02 +0000 (GMT) (envelope-from lsc@prgmr.com) Received: from luke.xen.prgmr.com (localhost [IPv6:::1]) by luke.xen.prgmr.com (8.13.3/8.13.3) with ESMTP id kA986gUh014037; Thu, 9 Nov 2006 00:06:42 -0800 (PST) Received: from localhost (lsc@localhost) by luke.xen.prgmr.com (8.13.3/8.13.3) with ESMTP id kA986gb9024940; Thu, 9 Nov 2006 00:06:42 -0800 (PST) X-Authentication-Warning: luke.xen.prgmr.com: lsc owned process doing -bs Date: Thu, 9 Nov 2006 00:06:42 -0800 (PST) From: Luke Crawford X-X-Sender: lsc@luke.xen.prgmr.com To: mal content In-Reply-To: <8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com> Message-ID: References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> <44irhq6ngd.fsf@be-well.ilk.org> <20061108142306.GA64711@owl.midgard.homeip.net> <8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Thu, 09 Nov 2006 14:03:17 +0000 Cc: Lowell Gilbert , freebsd-security@freebsd.org Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 08:07:16 -0000 On Thu, 9 Nov 2006, mal content wrote: > Nobody sandboxes on FreeBSD? man jail(8) From owner-freebsd-security@FreeBSD.ORG Thu Nov 9 08:48:43 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B4FC16A403 for ; Thu, 9 Nov 2006 08:48:43 +0000 (UTC) (envelope-from lsc@prgmr.com) Received: from luke.xen.prgmr.com (luke.xen.prgmr.com [38.99.2.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3A8B43D49 for ; Thu, 9 Nov 2006 08:48:42 +0000 (GMT) (envelope-from lsc@prgmr.com) Received: from luke.xen.prgmr.com (localhost [IPv6:::1]) by luke.xen.prgmr.com (8.13.3/8.13.3) with ESMTP id kA98mUni002533; Thu, 9 Nov 2006 00:48:30 -0800 (PST) Received: from localhost (lsc@localhost) by luke.xen.prgmr.com (8.13.3/8.13.3) with ESMTP id kA98mThe021794; Thu, 9 Nov 2006 00:48:29 -0800 (PST) X-Authentication-Warning: luke.xen.prgmr.com: lsc owned process doing -bs Date: Thu, 9 Nov 2006 00:48:29 -0800 (PST) From: Luke Crawford X-X-Sender: lsc@luke.xen.prgmr.com To: mal content In-Reply-To: <8e96a0b90611090017x5375ed18jf3748c685ce8d2a6@mail.gmail.com> Message-ID: References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> <44irhq6ngd.fsf@be-well.ilk.org> <20061108142306.GA64711@owl.midgard.homeip.net> <8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com> <8e96a0b90611090017x5375ed18jf3748c685ce8d2a6@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Thu, 09 Nov 2006 14:03:27 +0000 Cc: Lowell Gilbert , freebsd-security@freebsd.org Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 08:48:43 -0000 On Thu, 9 Nov 2006, mal content wrote: > On 09/11/06, Luke Crawford wrote: >> man jail(8) > A full jail is quite extreme, don't you think? Besides, it'd be tricky to > allow > a jailed program to write to ~/.mozilla and /tmp. Not really. well, it would be difficult to let it write to both ~/.mozilla and /tmp unless your homedir is under /tmp, what I would do is run mozilla under ~/mozilla and use that as the jail chroot. give it an internal IP and connect via X over IP if you want... or figure out how to put the named pipe unter ~/.mozilla (I'm not going to look it up for you, but there is a way... your jail system can't write outside the jail, but your non-jail system can write into the jail, so you might even be able to do it with a simple symlink.) jail is the best sandbox FreeBSD has; if that's to heavy, simply run it setuid to another user that doesn't have permission to anything- it's not as good of a sandbox, but it's lightweight. From owner-freebsd-security@FreeBSD.ORG Thu Nov 9 15:14:55 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D5EC16A415 for ; Thu, 9 Nov 2006 15:14:55 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net [69.17.117.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3E2443DA2 for ; Thu, 9 Nov 2006 15:14:33 +0000 (GMT) (envelope-from freebsd-security-local@be-well.ilk.org) Received: (qmail 5113 invoked from network); 9 Nov 2006 15:14:33 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 9 Nov 2006 15:14:33 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 6A74128485; Thu, 9 Nov 2006 09:47:38 -0500 (EST) To: "mal content" References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> <44irhq6ngd.fsf@be-well.ilk.org> <20061108142306.GA64711@owl.midgard.homeip.net> <8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com> From: Lowell Gilbert Date: Thu, 09 Nov 2006 09:47:37 -0500 In-Reply-To: <8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com> (mal content's message of "Thu, 9 Nov 2006 07:59:22 +0000") Message-ID: <44slgs3cdy.fsf@be-well.ilk.org> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security@freebsd.org Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 15:14:55 -0000 "mal content" writes: > So, uh, is that it? > > Nobody sandboxes on FreeBSD? Right. The Handbook and FAQ discussions of sandboxes are strictly there as practical jokes. Seriously, though, while Erik Trulsson was correct in pointing out the difference between an X client and an X server (only the latter has direct access to memory), X clients do have fairly privileged access to the server, and I don't have a lot of confidence in the safety of a sandboxed application running in a normal X session. It's certainly possible, though; jail(8) and chroot(8) are the obvious places to start. As I think I mentioned earlier, I use qemu VMs to do something similar, although in my case the main point is to start the application from an *identical* configuration every time. The trouble with running a complex application (like a web browser) in a chroot or jail is that it has a long chain of other files it needs to access at runtime. Putting all of those inside its captive directory tree will be quite a bit of work. Server daemons are a different story; many of them are designed to work well in a limited environment, and doing so is quite easy. In fact, named(8) seems to do that by default on FreeBSD these days. Be well. From owner-freebsd-security@FreeBSD.ORG Thu Nov 9 15:32:42 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E21A16A4F5 for ; Thu, 9 Nov 2006 15:32:42 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id C959743D68 for ; Thu, 9 Nov 2006 15:32:20 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by wr-out-0506.google.com with SMTP id i31so113546wra for ; Thu, 09 Nov 2006 07:32:20 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IdmwO1PE10BEfCmNl6+XTu2VyKbjQnqVyHkriVl6jhkuHl4fZDxAfxWl18XPYTZoYepegUpIoY4Fdoq5n9ZsGZQIDVQrzBxoHj5sHwzxGU+8qZ5hKadaY0hZpaoBpAeefRewd4/8MnZ9SHNV4q2BESMFvWvM2mC0kT2KCU++PRY= Received: by 10.65.219.3 with SMTP id w3mr1452747qbq.1163086339861; Thu, 09 Nov 2006 07:32:19 -0800 (PST) Received: by 10.65.237.20 with HTTP; Thu, 9 Nov 2006 07:32:19 -0800 (PST) Message-ID: <8e96a0b90611090732j78a34d96t16119eba0cdaabc4@mail.gmail.com> Date: Thu, 9 Nov 2006 15:32:19 +0000 From: "mal content" To: freebsd-security-local@be-well.ilk.org In-Reply-To: <44slgs3cdy.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> <44irhq6ngd.fsf@be-well.ilk.org> <20061108142306.GA64711@owl.midgard.homeip.net> <8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com> <44slgs3cdy.fsf@be-well.ilk.org> Cc: freebsd-security@freebsd.org Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 15:32:42 -0000 On 09/11/06, Lowell Gilbert wrote: > "mal content" writes: > > > So, uh, is that it? > > > > Nobody sandboxes on FreeBSD? > > Right. The Handbook and FAQ discussions of sandboxes are strictly > there as practical jokes. Damn. They caught me out. > > Seriously, though, while Erik Trulsson was correct in pointing out the > difference between an X client and an X server (only the latter has > direct access to memory), X clients do have fairly privileged access > to the server, and I don't have a lot of confidence in the safety of a > sandboxed application running in a normal X session. It's certainly > possible, though; jail(8) and chroot(8) are the obvious places to > start. As I think I mentioned earlier, I use qemu VMs to do something > similar, although in my case the main point is to start the > application from an *identical* configuration every time. > I think to really sandbox this program, there are going to have to be changes to the source. I don't really like the idea of creating a filesystem tree for all of Firefox's dependencies. It's that .mozilla directory that causes the headaches. My ideal situation would be: 1. Execute firefox binary under strict resource limits (coredumpsize = 0, memoryuse/datasize = 96000). Ideally some sort of openfiles limit would be nice. Firefox is currently using an amazing number of filedescriptors for what it does: $ fstat | grep firefox | wc -l 190 Now this is the tricky bit: 2. Chroot to /tmp. 3. Drop privileges and connect to X server. I don't think it will be possible to connect to the X server when chrooted in /tmp, due to the reliance on various ~/.x* files. Obviously, it's not possible to chroot without root privileges, so it seems to be mutually exclusive. > > The trouble with running a complex application (like a web browser) in > a chroot or jail is that it has a long chain of other files it needs > to access at runtime. Putting all of those inside its captive > directory tree will be quite a bit of work. > Yeah, I'm quite painfully aware of the complexity of browsers. Nasty pieces of work (although it's arguably not their fault). > > Server daemons are a different story; many of them are designed to > work well in a limited environment, and doing so is quite easy. In > fact, named(8) seems to do that by default on FreeBSD these days. > > Be well. > And yourself! MC From owner-freebsd-security@FreeBSD.ORG Thu Nov 9 18:48:15 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D2FA16A40F for ; Thu, 9 Nov 2006 18:48:15 +0000 (UTC) (envelope-from piechota@argolis.org) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [216.148.227.151]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A01A43D45 for ; Thu, 9 Nov 2006 18:48:12 +0000 (GMT) (envelope-from piechota@argolis.org) Received: from acropolis.argolis.org ([71.224.141.16]) by comcast.net (rwcrmhc11) with ESMTP id <20061109184811m1100ne9u2e>; Thu, 9 Nov 2006 18:48:11 +0000 Received: from acropolis.argolis.org (localhost [127.0.0.1]) by acropolis.argolis.org (8.13.6/8.13.6) with ESMTP id kA9ImAnk032643; Thu, 9 Nov 2006 13:48:10 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by acropolis.argolis.org (8.13.6/8.13.6/Submit) with ESMTP id kA9Im9lO032640; Thu, 9 Nov 2006 13:48:09 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: acropolis.argolis.org: piechota owned process doing -bs Date: Thu, 9 Nov 2006 13:48:09 -0500 (EST) From: Matt Piechota To: freebsd-security@freebsd.org In-Reply-To: <44slgs3cdy.fsf@be-well.ilk.org> Message-ID: <20061109134144.P21928@acropolis.argolis.org> References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> <44irhq6ngd.fsf@be-well.ilk.org> <20061108142306.GA64711@owl.midgard.homeip.net> <8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com> <44slgs3cdy.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: mal content Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 18:48:15 -0000 On Thu, 9 Nov 2006, Lowell Gilbert wrote: > Seriously, though, while Erik Trulsson was correct in pointing out the > difference between an X client and an X server (only the latter has > direct access to memory), X clients do have fairly privileged access > to the server, and I don't have a lot of confidence in the safety of a > sandboxed application running in a normal X session. It's certainly Perhaps one would use Xvnc to eliminate issues with the client mucking around in the X server space? I assume that Xvnc/vncviewer do not just pass the X calls to the local server though. It seems like while jails, vnc, and sandboxes may work, the safest method is to run in a VM as you mentioned. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Sat Nov 11 16:08:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AFCF16A416 for ; Sat, 11 Nov 2006 16:08:31 +0000 (UTC) (envelope-from jhs@flat.berklix.net) Received: from thin.berklix.org (thin.berklix.org [194.246.123.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F03E43D5D for ; Sat, 11 Nov 2006 16:08:29 +0000 (GMT) (envelope-from jhs@flat.berklix.net) Received: from js.berklix.net (p549A59E6.dip.t-dialin.net [84.154.89.230]) (authenticated bits=128) by thin.berklix.org (8.12.11/8.12.11) with ESMTP id kABG8RA1042127 for ; Sat, 11 Nov 2006 17:08:28 +0100 (CET) (envelope-from jhs@flat.berklix.net) Received: from fire.jhs.private (fire.jhs.private [192.168.91.41]) by js.berklix.net (8.13.6/8.13.6) with ESMTP id kABG8QRE011559 for ; Sat, 11 Nov 2006 17:08:27 +0100 (CET) (envelope-from jhs@flat.berklix.net) Received: from fire.jhs.private (localhost [127.0.0.1]) by fire.jhs.private (8.13.6/8.13.6) with ESMTP id kABG8WRn069267 for ; Sat, 11 Nov 2006 17:08:32 +0100 (CET) (envelope-from jhs@fire.jhs.private) Message-Id: <200611111608.kABG8WRn069267@fire.jhs.private> To: freebsd-security@freebsd.org In-reply-to: <4555E508.1090705@FreeBSD.org> References: <200611111442.kABEg4xT068699@fire.jhs.private> <4555E508.1090705@FreeBSD.org> Comments: In-reply-to Remko Lodder message dated "Sat, 11 Nov 2006 15:58:16 +0100." Date: Sat, 11 Nov 2006 17:08:32 +0100 From: "Julian H. Stacey" X-Mailman-Approved-At: Sat, 11 Nov 2006 16:16:54 +0000 Subject: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 16:08:31 -0000 Hi security@ list, In my self written, large ipfw rule set, I had something that passed http to allow me to browse most but not all remote sites. For years I assumed the few sites I had difficulty with were cases pppoed MTU != 1500, from not having installed tcpmssd on my 4.*-RELEASE, but then running 6.1-RELEASE I realised that wasn't the problem. http://www.web.de Still failed, & http://www.sueddeutsche.de Was slow. I tried adding ${fwcmd} add pass tcp from any to any established from src/etc/rc.firewall case - simple. Which solved it. But I was scared, not undertstand what the established bit did, & how easily an attacker might fake something, etc. I found adding these tighter rules instead worked for me ${fwcmd} tcp from any http to me established in via tun0 ${fwcmd} tcp from me to any http established out via tun0 Should I still be worrying about established ? Julian -- Julian Stacey. BSD Unix C Net Consultancy, Munich/Muenchen http://berklix.com Mail Ascii, not HTML. Ihr Rauch = mein allergischer Kopfschmerz. http://berklix.org/free-software From owner-freebsd-security@FreeBSD.ORG Sat Nov 11 19:01:03 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8425A16A40F for ; Sat, 11 Nov 2006 19:01:03 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30315.mail.mud.yahoo.com (web30315.mail.mud.yahoo.com [209.191.69.77]) by mx1.FreeBSD.org (Postfix) with SMTP id 443E643D62 for ; Sat, 11 Nov 2006 19:00:49 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 36340 invoked by uid 60001); 11 Nov 2006 19:00:49 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=5Xb8cJKCGhB+VPSlSfQVOobo/2XWLaED0dOnRmBmqqT7XESxYiMqUOF4QjODqX4Rdsd8fjHbbcL5cBuNj21PvrCZ9K4RfH8yF1yLXqEtpOwC/vi+8TB9mjbdIiCpIs35R+/2puYw6LgH2HG3imwVw8OXo1v/IrVK/uP36CEXFxo=; X-YMail-OSG: V1pxCKwVM1kgo39OqFczS4K9gOPYtua6SwRYel6YW1v3bwyjqm3_2hC6UqyTiMw.WSHI.FXcta8x7xRgj4IPSdfN9TV.l_yuNQhV2DBhW1IiH7WW98scxZ1VpE0WN9Lw61OCsGIPnCphQCBCigfmY03sQTQ6pTWoNAu42nlFJrvikZdZKXMjWVU8FhKw1iM_MKmzI4gEcRCCUo8- Received: from [213.54.145.48] by web30315.mail.mud.yahoo.com via HTTP; Sat, 11 Nov 2006 11:00:49 PST Date: Sat, 11 Nov 2006 11:00:49 -0800 (PST) From: "R. B. Riddick" To: "Julian H. Stacey" , freebsd-security@freebsd.org In-Reply-To: <200611111608.kABG8WRn069267@fire.jhs.private> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <216597.35069.qm@web30315.mail.mud.yahoo.com> Cc: Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 19:01:03 -0000 --- "Julian H. Stacey" wrote: > I tried adding > ${fwcmd} add pass tcp from any to any established > from src/etc/rc.firewall case - simple. Which solved it. > But I was scared, not undertstand what the established bit did, & > how easily an attacker might fake something, etc. > I found adding these tighter rules instead worked for me > ${fwcmd} tcp from any http to me established in via tun0 > ${fwcmd} tcp from me to any http established out via tun0 > Should I still be worrying about established ? > Hmm... I personally use "check-states" and "keep-state", so that it is not enough to fake the "established" flags, but the attacker had to know the ports, the IPs, control over routing in pub inet(?) and some little secrets in the TCP headers (I dont know exactly how it works): add check-state add pass icmp from any to any keep-state out xmit tun0 add pass tcp from any to any setup keep-state out xmit tun0 add pass udp from any to any domain keep-state out xmit tun0 Furthermore I use pf on the same box, too, so that a bug in ipfw is not enough... :-) -Arne ____________________________________________________________________________________ Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited From owner-freebsd-security@FreeBSD.ORG Sat Nov 11 19:19:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99FF616A47E for ; Sat, 11 Nov 2006 19:19:45 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DC0843D69 for ; Sat, 11 Nov 2006 19:19:37 +0000 (GMT) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from [10.20.0.26] (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.6/8.13.6) with ESMTP id kABJJXvB000528 for ; Sat, 11 Nov 2006 20:19:35 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <45562245.8070804@obluda.cz> Date: Sat, 11 Nov 2006 20:19:33 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.7) Gecko/20061025 SeaMonkey/1.0.5 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <216597.35069.qm@web30315.mail.mud.yahoo.com> In-Reply-To: <216597.35069.qm@web30315.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 19:19:45 -0000 R. B. Riddick napsal/wrote, On 11/11/06 20:00: >> But I was scared, not undertstand what the established bit did, & >> how easily an attacker might fake something, etc. ... >> Should I still be worrying about established ? > Hmm... I personally use "check-states" and "keep-state", so that it is not Statefull rules can stop the sophisticated intruder, but are often more vulnerable to DoS attacks. Every method has pros and cons ... Dan -- Dan Lukes SISAL MFF UK AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz From owner-freebsd-security@FreeBSD.ORG Sat Nov 11 19:34:30 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2314616A415 for ; Sat, 11 Nov 2006 19:34:30 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30310.mail.mud.yahoo.com (web30310.mail.mud.yahoo.com [209.191.69.72]) by mx1.FreeBSD.org (Postfix) with SMTP id A379043DA2 for ; Sat, 11 Nov 2006 19:33:56 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 36401 invoked by uid 60001); 11 Nov 2006 19:33:56 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=MBWYvU7hjyN7rj3yPbQLFBo4dT+clt2Laupqknzq0/YKllFobY/Ovt5NAO7i5zXnGze+b0yjrqV/UAnC1zCf+a/vsRFqJY550gcS3dL82GUHl3IY+NMKLxQBacYZK09/TifuVrjpV6q392dSMbf54i5SQQ5m3tW6zWFagLWw3MA=; X-YMail-OSG: Xzldeu0VM1kTmVZoZd1jxTdpMz0oJfddtRyUXkynWPSemBlzDll9PA9z19mQ2JaK.1DvXV_WsgdjmB4_InFsJ1ccayWobPzbJ.rrPC_EG0Gk1PefdJGt4RzIl4hmWpE0jDSeRD5h.0rD1Hs- Received: from [213.54.145.48] by web30310.mail.mud.yahoo.com via HTTP; Sat, 11 Nov 2006 11:33:56 PST Date: Sat, 11 Nov 2006 11:33:56 -0800 (PST) From: "R. B. Riddick" To: Dan Lukes , freebsd-security@freebsd.org In-Reply-To: <45562245.8070804@obluda.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <159176.35953.qm@web30310.mail.mud.yahoo.com> Cc: Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 19:34:30 -0000 --- Dan Lukes wrote: > Statefull rules can stop the sophisticated intruder, but are often more > vulnerable to DoS attacks. > > Every method has pros and cons ... > Hmm... U mean, when someone creates a lot of states? At least pf can limit that... But here it looks like just the good guys can create a state (from the good-network via the public network to the trusted web sites), so that states can't hurt, I think... -Arne ____________________________________________________________________________________ Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com From owner-freebsd-security@FreeBSD.ORG Sat Nov 11 21:18:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD10B16A415 for ; Sat, 11 Nov 2006 21:18:07 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBCAB43D68 for ; Sat, 11 Nov 2006 21:18:06 +0000 (GMT) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from [10.20.0.26] (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.6/8.13.6) with ESMTP id kABLI3cC005859 for ; Sat, 11 Nov 2006 22:18:04 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <45563E0B.6010509@obluda.cz> Date: Sat, 11 Nov 2006 22:18:03 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.7) Gecko/20061025 SeaMonkey/1.0.5 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <159176.35953.qm@web30310.mail.mud.yahoo.com> In-Reply-To: <159176.35953.qm@web30310.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 21:18:07 -0000 R. B. Riddick napsal/wrote, On 11/11/06 20:33: >> Statefull rules can stop the sophisticated intruder, but are often more >> vulnerable to DoS attacks. > Hmm... U mean, when someone creates a lot of states? > At least pf can limit that... Yes. "Limit" mean - some packet (connections, states) are denied. The rest is question - is algorithm smart enough to limit attackers packet but no legitimate connections (or, at least, try to block attacker and try not to block legitimate connections). Especially against attacker with full knowledge of algorithm. > But here it looks like just the good guys can create a state (from the > good-network via the public network to the trusted web sites), so that states > can't hurt, I think... Yes, in that case you are true. Dan -- Dan Lukes SISAL MFF UK AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz From owner-freebsd-security@FreeBSD.ORG Sat Nov 11 22:04:16 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A317116A407 for ; Sat, 11 Nov 2006 22:04:16 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BAD443D53 for ; Sat, 11 Nov 2006 22:04:14 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from kobe.laptop (host155-42.pool8174.interbusiness.it [81.74.42.155] (may be forged)) (authenticated bits=128) by igloo.linux.gr (8.13.8/8.13.8/Debian-2) with ESMTP id kABM3YOe012598 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 12 Nov 2006 00:03:39 +0200 Received: from kobe.laptop (kobe.laptop [127.0.0.1]) by kobe.laptop (8.13.8/8.13.8) with ESMTP id kABM3RnP001794; Sat, 11 Nov 2006 23:03:29 +0100 (CET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by kobe.laptop (8.13.8/8.13.8/Submit) id kABJ5HTc001275; Sat, 11 Nov 2006 20:05:17 +0100 (CET) (envelope-from keramida@ceid.upatras.gr) Date: Sat, 11 Nov 2006 20:05:17 +0100 From: Giorgos Keramidas To: "Julian H. Stacey" Message-ID: <20061111190517.GB1158@kobe.laptop> References: <200611111442.kABEg4xT068699@fire.jhs.private> <4555E508.1090705@FreeBSD.org> <200611111608.kABG8WRn069267@fire.jhs.private> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200611111608.kABG8WRn069267@fire.jhs.private> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-1.985, required 5, autolearn=not spam, AWL 0.48, BAYES_00 -2.60, FORGED_RCVD_HELO 0.14, UNPARSEABLE_RELAY 0.00) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-security@freebsd.org Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 22:04:16 -0000 On 2006-11-11 17:08, "Julian H. Stacey" wrote: > Hi security@ list, > In my self written, large ipfw rule set, I had something that passed > http to allow me to browse most but not all remote sites. For years > I assumed the few sites I had difficulty with were cases pppoed MTU > != 1500, from not having installed tcpmssd on my 4.*-RELEASE, but > then running 6.1-RELEASE I realised that wasn't the problem. > > http://www.web.de Still failed, & > http://www.sueddeutsche.de Was slow. > > I tried adding > > ${fwcmd} add pass tcp from any to any established > > from src/etc/rc.firewall case - simple. Which solved it. > But I was scared, not undertstand what the established bit did, & > how easily an attacker might fake something, etc. > I found adding these tighter rules instead worked for me > > ${fwcmd} tcp from any http to me established in via tun0 > ${fwcmd} tcp from me to any http established out via tun0 > > Should I still be worrying about established ? In general, I prefer stateful rulesets, which eliminate the need for 'established' rules. This would be something like: ${fwcmd} check-state ${fwcmd} tcp from me to any http out via tun0 keep-state ${fwcmd} tcp from me to any ssh out via tun0 keep-state [...] This may create problems with connections whose entries time out before something is received back from the other end, but IMHO this is much better than the possibility of someone 'abusing' the 'established' check to poke holes through the firewall ruleset.