Date: Thu, 31 May 2001 13:22:16 +0200 From: "Jacques Bourdeau" <jacques_bourdeau@moncourrier.com> To: freebsd-security@FreeBSD.org Subject: producing an intrusion-proof FreeBSD Message-ID: <B98D2D91BA555D115A4600807CFD4B52@jacques_bourdeau.moncourrier.com>
next in thread | raw e-mail | index | archive | help
Hi, during next summer, I will work on a solution for increasing significantly the security of any Unix server. I wish to do that by using the CHROOT as much as possible. Right now, only few daemon are ready for using Chroot themselves (named and some FTPD). But even them do not gain a lot of security because they launch the CHROOT themsleves. So if a bug is found in them (as its always the case if an intrusion occur), the bad guy have a much larger chance to go out of the CHROOT. What I try to do is to build a sub-system jail, containing the minimum tools and functions (like RBASH as the only shell, no telnet client... ), over a partition mounted with nosuid,nodev, etc, etc, and launching daemons from the jail. If the deamon can do a second CHROOT by itself, I also use it. The best would be to have no listening daemons running outside of the jail. After that, someone doing an intrusion against the system would not be able to do anything over personnal datas, or to re-use the computer for attacking another one on Internet (he will not have telnet / ftp or anything else available). Because the CHROOT was done by a previous process (which do not exist anymore in process list), going out of the CHROOT will be MUCH more difficult. Indeed, only a bug in the kernel could go out. I already built a small jail and run named in 2 level of CHROOT as well as FTPD. I wish to add all others : SSH, inetd .. ... .... I'm doing that with shells scripts because I'm a poor progammers with C or others languages. So, if FreeBSD is interested, just explain me how to transform this in a complete project for FreeBSD community. Jacques Bourdeau (my mail address will change in 2 months when I will go back in Canada, so do not distribute it right now if you wish to add the project in your list...) -- Obtenez vous aussi votre adresse électronique gratuite MonCourrier.com (http://www.moncourrier.com), un service du Réseau BRANCHEZ-VOUS! (http://www.branchez-vous.com), le meilleur d'Internet. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B98D2D91BA555D115A4600807CFD4B52>