Date: Fri, 31 May 2002 16:56:29 +0200 From: Frank van Vliet <karin@root66.org> To: Bjoern Fischer <bfischer@Techfak.Uni-Bielefeld.DE> Cc: freebsd-hackers@freebsd.org Subject: Re: sandboxing untrusted binaries Message-ID: <20020531165629.H86421@root66.org> In-Reply-To: <20020531105059.GA720@no-support.loc>; from bfischer@Techfak.Uni-Bielefeld.DE on Fri, May 31, 2002 at 12:50:59PM %2B0200 References: <20020530025817.GA4390@no-support.loc> <20020531040714.G86421@root66.org> <20020531105059.GA720@no-support.loc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 31, 2002 at 12:50:59PM +0200, Bjoern Fischer wrote: > > The second group is more for trying to keep hackers from gaining local > > access. The examples provided by systrace are for this group of > > programs. But, the same concept applies: the binary needs to run local > > and access local files and even write to files. A webbrowser still needs > > to execute xpdf, the user still needs to be able to specify what program > > to run for pdf's. You can limit the possibilities, but, the minimal > > capabilities a program needs to function is always enough for a hacker. > > I think you are wrong here. If there are normal user applications that > let local users compromise the system, the operating system is flawed. > And even if there is any, users who attempt to compromise the system, > or who behave grossly negligent regarding system security, are candidates > for rmuser(8) anyway. > > The target of systrace is not the local user (or unwelcomed "visitor" > disguised as a local user) who attempts to hack the system. This > will never work, since you always can install a not-sandboxed > version of the affected software with normal user privileges. > > systrace is not for sandboxing users but for sandboxing untrusted > binaries. Such as netscape for example. Of course you never would > run netscape as root. But you may even consider your "normal" user > privileges as too powerful (reading PGP-Keys, tampering .rhosts or > xauth, deleting you reports). You miss the point here. Lets say you are a user on a box and you run netscape. Lets say there is a bug in netscape, netscape could be considered untrusted, and evil hackers can exploit your netscape when you browse their site. This is completely the same issue as for setuid binaries, netscape needs local capabilities which are always enough for hackers to hack the system. It is an illusion to think that making hackers not being able to read the PGP-Keys are unable to hack the system. Netscape for instance needs to execute other binaries, the user should be allowed to specify which binaries. Netscape needs to write cache files, any hacker exploiting netscape can use that to create a new process which isn't systrace-profiled. I suggest getting over the illusion hackers won't be able to hack the system if you narrow them a bit, the binaries you run still need capabilities to correctly function, which are always enough to hack the system. (I ment remote hackers exploiting your bitchx and netscape, not local users) > > I have coded similar things for linux, the main problem is the > > performance hit. For every system call, you will need to check against > > the policy and systrace even provides regular expression filters etc. > > I don't expect a greater performance hit than ktrace. Far most system > calls are read() and write() anyway. this is very specific for the program, you can't make judgements like this without being sure for what applications this applies. Frank van Vliet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020531165629.H86421>