Date: Thu, 3 Dec 2009 17:49:24 +0100 From: Borja Marcos <borjam@sarenet.es> To: Borja Marcos <borjam@sarenet.es> Cc: freebsd-security@freebsd.org Subject: Re: rtld issue, MAC subsystem suggestion Message-ID: <AD21DAB8-3DAF-45A2-8D0C-54FA596FF98A@sarenet.es> In-Reply-To: <3ACC849F-06CF-4BBD-88A5-7489D6DD75B4@sarenet.es> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <CE6953AE-C4FD-4DD3-831D-ED4215A9AE93@sarenet.es> <4B17A0BE.9090502@fer.hr> <3ACC849F-06CF-4BBD-88A5-7489D6DD75B4@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 3, 2009, at 1:45 PM, Borja Marcos wrote: > There's a wrong assumption I made: the MAC subsystem should make a = root exploit hard to achieve, and the latest security issue shows that = indeed that's not necessarily the case. I chose not to chroot the = runnnig CGI's so that they saw a complete operating system, avoiding the = costs of lots of phone calls to support because their script got a text = file and ran awk on it, etc, etc, you know. Keeping lots of copies of = the OS is quite ineffective. And restricting access to mostly harmless = programs such as ping can be a problem as well. One of my compromises = (wrong, maybe) was to offer the closest thing to a complete system as = possible. Which brings an idea... I understand it might sound a bit ad-hoc after = this problem, but how about extending the usage of the MAC subsystem so = that MAC policies are enforced for such things as the dynamic linker? It = would certainly put a stop to a whole class of attacks. If a program with a given integrity label tried to link with a lower = integrity shared library maybe the operation should fail. Same should = apply to mac/mls.=20 I see no reason to allow that behavior to succeed, and plenty of reasons = for the MAC policies to be applied. Borja.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AD21DAB8-3DAF-45A2-8D0C-54FA596FF98A>