From owner-freebsd-security Thu May 31 4:19:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from c0mailgw07.prontomail.com (mailgw.prontomail.com [216.163.180.10]) by hub.freebsd.org (Postfix) with ESMTP id 37E8D37B423 for ; Thu, 31 May 2001 04:19:29 -0700 (PDT) (envelope-from jacques_bourdeau@moncourrier.com) Received: from c5web106 (216.163.180.10) by c0mailgw07.prontomail.com (NPlex 5.5.015.3) id 3B137B740005E9BB for freebsd-security@FreeBSD.org; Thu, 31 May 2001 04:16:19 -0700 X-Version: moncourrier 6.3.3097.14 From: "Jacques Bourdeau" Message-Id: Date: Thu, 31 May 2001 13:22:16 +0200 X-Priority: Normal Content-Type: text/plain; charset=iso-8859-1 To: freebsd-security@FreeBSD.org Subject: producing an intrusion-proof FreeBSD X-Mailer: Web Based Pronto Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, during next summer, I will work on a solution for increasing significan= tly the security of any Unix server. I wish to do that by using the CHROOT as m= uch as possible. Right now, only few daemon are ready for using Chroot themselves (named= and some FTPD). But even them do not gain a lot of security because they la= unch the CHROOT themsleves. So if a bug is found in them (as its always the = case if an intrusion occur), the bad guy have a much larger chance to go out= of the CHROOT. What I try to do is to build a sub-system jail, containing the minimum = tools and functions (like RBASH as the only shell, no telnet client... ), over a = partition mounted with nosuid,nodev, etc, etc, and launching daemons from the jai= l. If the deamon can do a second CHROOT by itself, I also use it. The best wo= uld be to have no listening daemons running outside of the jail. After that, someone doing an intrusion against the system would not be = able to do anything over personnal datas, or to re-use the computer for attacki= ng another one on Internet (he will not have telnet / ftp or anything else availab= le). Because the CHROOT was done by a previous process (which do not exist a= nymore in process list), going out of the CHROOT will be MUCH more difficult. = Indeed, only a bug in the kernel could go out. I already built a small jail and run named in 2 level of CHROOT as well= as FTPD. I wish to add all others : SSH, inetd .. ... .... I'm doing that with shells scripts because I'm a poor progammers with C= or others languages. So, if FreeBSD is interested, just explain me how to transform this in = a complete project for FreeBSD community. Jacques Bourdeau (my mail address will change in 2 months when I will go back in Canada,= so do not distribute it right now if you wish to add the project in your list...)= -- Obtenez vous aussi votre adresse =E9lectronique gratuite MonCourrier.com (http://www.moncourrier.com), un service du R=E9seau BRANCHEZ-VOUS! (http://www.branchez-vous.com), le meilleur d'Internet. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message