From owner-freebsd-hackers Tue Apr 23 18:50:41 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4793E37B400; Tue, 23 Apr 2002 18:50:30 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.6) with SMTP id g3O1ccw36036; Tue, 23 Apr 2002 21:38:38 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 23 Apr 2002 21:38:38 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Greg 'groggy' Lehey" Cc: Jordan Hubbard , Oscar Bonilla , Anthony Schneider , Mike Meyer , hackers@FreeBSD.ORG Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) In-Reply-To: <20020424090655.O6425@wantadilla.lemis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote: > > A more conservative default configuration results in a material > > improvement in system security. > > *snip* By snipping here, you removed reference to the fact that this was a general discussion of direction and policy, rather than specifically to do with X11, which provides an answer to a number of your questions. > > A reasonable set of criteria might include: > > > > - There have been past vulnerabilities that were exploitable by having the > > feature enabled by default. > > Which in this case? As indicated, not all of these criteria may apply in every case -- this was just a suggested list of criteria that might be applied. There have been a number of vulnerabilities in a number of different X protocol implementations. Many of them require first getting past the normal X access control mechanisms before they may be exploited, but not all. > > - The complexity and exposure of the feature lends it to future > > vulnerabilities. > > I don't see any relevance here. If you think that's a problem, then you didn't read my e-mail. However, there is actually a great deal of relevance here: protocol and implementation complexity have a lot to do with the chances that there will be a serious vulnerability. Likewise, the level of privilege associated with X11 is highly relevant: if you compromise the X server, you've got a lot to play with. > > - Turning the feature on is difficult or impossible without high levels of > > expertise. > > Fortunately, this is the case here as well. Otherwise it would really > have broken X. Sounds good to me. > > - The feature does/does not have more secure alternatives accepted by the > > broader community. > > The broader community hasn't been consulted here. Not entirely clear, but worth discussing. > > "Security by obscurity" does not refer to the act of selecting a > > conservative security policy, > > Don't get hung up on terminology. If you can't use terminology properly, we'll have a lot of trouble holding a useful conversation. I objected to your use of the term, because it has a specific meaning, and that meaning doesn't apply here. If you're not going to use the term, maybe we agree on more than we think. > What I'm talking about here are differences which users of other UNIX > systems won't know about and which will make life difficult for them, to > the extent that the casual user won't bother to try to solve the > problem. > > In the current issue of AUUGN, the journal of the Australian UNIX User > group (http://www.auug.org.au/), we gave away a FreeBSD 4.5 CD-ROM. > Based on previous actions, I'm expecting a number of people to try it > out. They're mainly experienced UNIX users; they won't want to go > reading through 80 pages of man pages when their X fails to work. > They'll throw away the CD and go back to what they were using before. I'm more interested in the general issue here, since you made the general assertion that there was a problem that stretched beyond this one issue. I'm happy to entertain the idea that we discuss this specific issue in more detail. In particular, the decision to not bind the X11 port might take into account this particular implementation (XFree86), and whether we can make this setting more accessible to the administrator (i.e., something that could be mechanically twiddled, rather than through manual editing of scripts...) > >> 2. Document these things very well. Both this ssh change and the X > >> without TCP change are confusing. If three core team members were > >> surprised, it's going to surprise the end user a whole lot more. > >> We should at least have had a HEADS UP, and we probably need a > >> security policy document with the distributions. > > > > Part of your confusion > > That's not the correct word. Not your confusion, rather, the general confusion regarding where the feature change can/should be documented, and how people should be made aware of this kind of change. > > is probably because X11 isn't part of the base system, so events > > concerning the X11 port don't tend to get discussed much on the > > general-purpose mailing lists. > > I think the issue here is that individuals make this kind of decision. > We need a broader consensus for this kind of change. As Jochem points > out, only 3 people were involved in the decision, all of them people > with security profiles which weren't affected by this change. For something like X11, we need a freebsd-x11 mailing list. Or maybe freebsd-xfree86. For most other large third party applications, we either have a single authoritative maintainer, or a mailing list. For example, both Gnome and KDE have these. > > These kinds of things do get discussed on the release engineering > > lists, questions, etc. It may be we need a "ports release notes", > > but that's an effort that's going to have to come out of the ports > > space. > > There's another issue here. This isn't the first port I've seen which > has made gratuitous changes to the original package. By "gratuitous" I > mean changes which are not necessary for making the package work under > FreeBSD. If people want to modify the behaviour of the package, they > should create a second port which clearly identifies that the behaviour > has been changed from the default. We adapt a number of applications for the FreeBSD environment and configuration. A more common way to distinguish our localizations is through a WITH_GRATUITOUS_LOCAL_CHANGES make argument, or via an interactice interface (for example, ghostscript). > > BTW, another reason few people noticed is that at this point, the > > accepted best practice for X11 forwarding is to use SSH, which can > > forward TCP-based X11 to the unix domain socket X11 communication > > primitive. The result is that X11/TCP turned off on your > > workstation doesn't limit access when you log into remote servers > > using SSH, as long as you have X11 forwarding enabled for the server > > you're logging into. > > Have you tried doing that with a Sun 3/60? Or with an AIX box? This > fix even stops connections from the same machine if you use a domain > name display format (echunga:0.2 instead of :0.2). Obsolete hardware is not an excuse for avoiding continued development. The AIX argument is more valid :-). Unfortunately, I got rid of my Sun 3/60 a few years ago. Good for a space heater, though... > > BTW, my notion of ease of use for services would be something like the > > following: ... > > My notion of ease of use would be dependent on the securelevel. I run a > network which is heavily firewalled (has to be: I have Linux boxes here > too :-), and within which the security is very lax. I have yet to see > any proof that this is a problem. Sure, set the machine up for secure > operation by default, and issue dire warnings about relaxing security, > but don't try to know better than the user. Securelevels are a specific security model that doesn't relate to this at all. Arguably, securelevels contribute more to shoot footing than about any other feature we provide easy access to with sysinstall. I'd rather leave securelevels as they are: a model restricting root privilege, and not tangle them into any more features than necessary. Securelevels are *not* a good model for security management, although they might act as a tool in a general security posture. The "security profile" concept has provided for similar confusion and problems -- witness NFS breaking between our platform and others because someone selected the default (cancel) rather than moderate as their security profile, but not to other platforms. Tying a bunch of unrelated security features together rather than just itemizing them causes a lot of confusion, especially when the security feature menus conflict with other menus that toggle the same features (enabling NFS specifically vs. having it turned back off again by sysinstall for a security profile). If we can expose this feature via rc.conf, just make it a seperate rc.conf entry and twiddle it off of the security configuration manu in sysinstall. Is that something we can do easily? Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message