From owner-freebsd-security Thu Jun 14 12: 4:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 8DF3737B401 for ; Thu, 14 Jun 2001 12:04:06 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 51836 invoked by uid 1000); 14 Jun 2001 19:04:27 -0000 Date: Thu, 14 Jun 2001 21:04:27 +0200 From: "Karsten W. Rohrbach" To: Kris Kennaway Cc: Alex Popa , security@freebsd.org Subject: Re: Compiling untrusted source -- what are the risks? Message-ID: <20010614210427.E49807@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Kris Kennaway , Alex Popa , security@freebsd.org References: <20010613092402.A8413@ldc.ro> <20010613130313.B64020@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="924gEkU1VlJlwnwX" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010613130313.B64020@xor.obsecurity.org>; from kris@obsecurity.org on Wed, Jun 13, 2001 at 01:03:13PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --924gEkU1VlJlwnwX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Kris Kennaway(kris@obsecurity.org)@2001.06.13 13:03:13 +0000: > On Wed, Jun 13, 2001 at 09:24:02AM +0300, Alex Popa wrote: >=20 > > The step I am worried about is the compiling, since I do need to have > > the include files and libraries available. The output should be a > > statically linked file, which would run in a jail (separate one per > > source file) which contains nothing more than the compiled binary, and > > the input file. The evaluation program will run in a separate jail, > > given only the output file from the program, and maybe an "expected > > results" file. I plan on using ipfw to block all traffic on that > > machine (will be a dedicated machine) not coming from a few trusted > > uids (like root and the evaluation process). I also plan setting up > > resource limits, and not running more evaluation jobs at the same time > > (ruins timing). >=20 > You could do this step in a jail if you wanted to. If you're using > user-supplied makefiles, then they can run arbitrary commands. If > you're using a fixed set of compiler invocations and the standard > toolchain then it should probably be okay (I don't know of any ways to > cause the compiler toolchain to execute arbitrary commands during > compilation). >=20 although, being a paranoid bastard myself, i would reconstruct the whole jail after creating a backup of the work environment only when the evaluation process for one package is finished. this gives you a clean slate point of start for everything again. /k --=20 > Only wimps use tape backups; real men put their software on ftp-servers > and let the rest of the world mirror it. --Linus Torvalds KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --924gEkU1VlJlwnwX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7KQq7M0BPTilkv0YRAg6AAJ9bQm0Z+cpG7ot+U4U8AS4qBDbKpwCgimiJ 2rGsx2jvvXWiPkJdndAey1A= =e+DU -----END PGP SIGNATURE----- --924gEkU1VlJlwnwX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message