From owner-freebsd-current Tue Dec 15 08:51:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA18226 for freebsd-current-outgoing; Tue, 15 Dec 1998 08:51:08 -0800 (PST) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA18214 for ; Tue, 15 Dec 1998 08:51:02 -0800 (PST) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (IDENT:GES4EJkEct1hOjS+ynQsqTaA8dBoyGzk@greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.1/8.9.1) with ESMTP id SAA02753; Tue, 15 Dec 1998 18:50:53 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (IDENT:w6Drr6HBhysDqC794attde3rBE7aifp+@localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.1/8.9.1) with ESMTP id SAA68842; Tue, 15 Dec 1998 18:50:52 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199812151650.SAA68842@greenpeace.grondar.za> To: Joe Abley cc: Matthew Dillon , Kevin Day , freebsd-current@FreeBSD.ORG Subject: Re: modification to exec in the kernel? In-Reply-To: Your message of " Wed, 16 Dec 1998 05:37:01 +1300." <19981216053701.B27078@clear.co.nz> References: <19981215120357.B11837@clear.co.nz> <199812142331.RAA17203@home.dragondata.com> <19981215124818.A22526@clear.co.nz> <199812150644.IAA67338@greenpeace.grondar.za> <199812150917.BAA52694@apollo.backplane.com> <19981216053701.B27078@clear.co.nz> Date: Tue, 15 Dec 1998 18:50:51 +0200 From: Mark Murray Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Joe Abley wrote: > So how is this more dangerous than a non-chrooted environment? Surely it > is _as_ safe - but with the added control that the user sees an appropriate > subset of the entire filesystem that is controlled, regardless of what the > system as a whole needs to have installed in order to function? You give the user Perl5, you may as well give them a C compiler. They'll have full access to sockets etc. Who knows what nasty attacks they can launch against you from inside your own network. By assuming it is safe, you are mainly deluding yourself. Given that the chroot'ed environment is "sanitised", it becomes easy to control (within its limits) and understand. I am not proposing security-by-obsurity here, just that you either make it "UNIX" and go with that warts-and-all (security patrols necessary), or make it tighter than a mouse's arse (and non-useful to scriptwriters). We (an ISP) have constructed a non-chroot, noexec, no C-compiler, no-questions-asked box, and we still recognise the need to patrol. It works well, as long as the human intervention is recognised. Oh - while you are building this box - make sure that suidperl is not on board. :-) M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message