From owner-freebsd-hackers Fri May 31 3:51:41 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mailout07.sul.t-online.com (mailout07.sul.t-online.com [194.25.134.83]) by hub.freebsd.org (Postfix) with ESMTP id 9A0A237B406 for ; Fri, 31 May 2002 03:51:35 -0700 (PDT) Received: from fwd07.sul.t-online.de by mailout07.sul.t-online.com with smtp id 17Dk06-0003MI-05; Fri, 31 May 2002 12:51:18 +0200 Received: from no-support.loc (520094253176-0001@[217.88.142.135]) by fmrl07.sul.t-online.com with esmtp id 17Djzt-0NEMAyC; Fri, 31 May 2002 12:51:05 +0200 Received: from frolic.no-support.loc (localhost.no-support.loc [127.0.0.1]) by no-support.loc (8.12.3/8.12.3) with ESMTP id g4VAoxAb000831; Fri, 31 May 2002 12:50:59 +0200 (CEST) (envelope-from bjoern@frolic.no-support.loc) Received: (from bjoern@localhost) by frolic.no-support.loc (8.12.3/8.12.3/Submit) id g4VAoxo4000830; Fri, 31 May 2002 12:50:59 +0200 (CEST) From: Bjoern Fischer Date: Fri, 31 May 2002 12:50:59 +0200 To: Frank van Vliet Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: sandboxing untrusted binaries Message-ID: <20020531105059.GA720@no-support.loc> References: <20020530025817.GA4390@no-support.loc> <20020531040714.G86421@root66.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20020531040714.G86421@root66.org> User-Agent: Mutt/1.3.99i X-Sender: 520094253176-0001@t-dialin.net Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Frank, > The idea of sandboxing binaries is nice ofcourse but there is a > conceptual drawback.=20 >=20 > I think you can divide the programs you run in two groups: >=20 > the group of extra privileged programs which need that for changing > passwords or for allowing users to log into their shell (ssh etc). These type of programs are not the target of systrace. Normally you have the sources for programs that need raised privileges, so these programs can be trusted. If you expect security risks when you set up larger applications that partially need root privileges, you probably want to use jail(8) or capabilities (FreeBSD-5?). > The second group is more for trying to keep hackers from gaining local > access. The examples provided by systrace are for this group of > programs. But, the same concept applies: the binary needs to run local > and access local files and even write to files. A webbrowser still needs > to execute xpdf, the user still needs to be able to specify what program > to run for pdf's. You can limit the possibilities, but, the minimal > capabilities a program needs to function is always enough for a hacker. I think you are wrong here. If there are normal user applications that let local users compromise the system, the operating system is flawed. And even if there is any, users who attempt to compromise the system, or who behave grossly negligent regarding system security, are candidates for rmuser(8) anyway. The target of systrace is not the local user (or unwelcomed "visitor" disguised as a local user) who attempts to hack the system. This will never work, since you always can install a not-sandboxed version of the affected software with normal user privileges. systrace is not for sandboxing users but for sandboxing untrusted binaries. Such as netscape for example. Of course you never would run netscape as root. But you may even consider your "normal" user privileges as too powerful (reading PGP-Keys, tampering .rhosts or xauth, deleting you reports). > I have coded similar things for linux, the main problem is the > performance hit. For every system call, you will need to check against > the policy and systrace even provides regular expression filters etc. I don't expect a greater performance hit than ktrace. Far most system calls are read() and write() anyway. Bj=F6rn Fischer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message