From owner-freebsd-hackers@FreeBSD.ORG Fri Jul 8 04:48:33 2011 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E99C2106566B for ; Fri, 8 Jul 2011 04:48:32 +0000 (UTC) (envelope-from sendtomatt@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id B59AC8FC17 for ; Fri, 8 Jul 2011 04:48:32 +0000 (UTC) Received: by iyb11 with SMTP id 11so1935466iyb.13 for ; Thu, 07 Jul 2011 21:48:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=mnrNAh/FwyuRfL6ItBNh4sG6+Pzx1kWTo7W4rX4o+S4=; b=gwZ5y3Cd/s2Ytei4G8htaohzQSmjR1sea12MRVaDfJItD5EmI7dgfZRN4FjYIycZMI IIUbsX79n/IuoycO2htWdCPRohRIk6T1/fBxV5fQiHPHxN5Hsp7/XZO3sw2lb79JzNen 7PXhZxmFBc7MgGbIVBtnIS3A1EttCTvenGGAM= Received: by 10.42.149.10 with SMTP id t10mr1668606icv.125.1310098919335; Thu, 07 Jul 2011 21:21:59 -0700 (PDT) Received: from sidhe.local ([75.111.38.94]) by mx.google.com with ESMTPS id j7sm10491810icq.14.2011.07.07.21.21.48 (version=SSLv3 cipher=OTHER); Thu, 07 Jul 2011 21:21:58 -0700 (PDT) Message-ID: <4E1685D8.403@gmail.com> Date: Thu, 07 Jul 2011 21:21:44 -0700 From: Matt User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.18) Gecko/20110624 Thunderbird/3.1.11 MIME-Version: 1.0 To: freebsd-hackers@freebsd.org References: <4E167C94.70300@kibab.com> In-Reply-To: <4E167C94.70300@kibab.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Ben Laurie Subject: Re: Capsicum project: Ideas needed X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 04:48:33 -0000 On 07/07/11 20:42, Ilya Bakulin wrote: > Hi hackers, > As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base > system, I want to ask you, which applications in the base system should > receive sandboxing support. > So far, the following applications were sandboxed during initial > Capsicum research project: > sshd: critical system service run by root; > gzip: utility that operates with potentially buggy compression code > tcpdump: contains complex packet-parsing code, run by root; > I have added sandboxing to syslogd, because this is also a critical > system service run by root. > I'm also going to add sandboxing to xz (compression algorithms) and ntpd > (critical system service run by root). > > The question is: which applications should also be processed? I think > that the most wanted candidates are SUID programs and/or popular network > daemons. > But looking at gzip example I also think about text-processing tools in > general. > > At the moment I prefer not to focus on applications that are used only > on desktop system -- primary usage of FreeBSD is ultra-reliable serving > platform, although iXSystems guys may correct me :-) > I'm not too familiar with the operation of capsicum, but in general anything with untrusted (including in many cases user) input can be worth sandboxing, especially in a server environment. Obviously server processes themselves are often worth restricting to things like jails or vms etc., so sandboxing could be an alternative. I can also see cases where interpreters, database server software, and file viewers/editors could be sandboxed to prevent exploits from "running away" with the system via the exploited process. Especially in server environment, 'sudo less /var/log/' and kablooey. Admins may have to run "user" software, or non suid, executables which nonetheless receive the admin's elevated permissions. Call them usid, user set id, I suppose. Not the best, but it happens, especially when things need to work an hour ago. A few ideas along those lines: -any server software -any interpreter (perl, python, etc)? -any shell?... minicom wget curl netcat links/lynx Can it be made a switch on sudo? sudo --sandbox=someprofile,option tcpdump -tti pflog0 Hopefully I'm not missing the boat and these ideas are applicable :) Matt