Date: Fri, 31 May 2002 12:50:59 +0200 From: Bjoern Fischer <bfischer@Techfak.Uni-Bielefeld.DE> To: Frank van Vliet <karin@root66.org> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: sandboxing untrusted binaries Message-ID: <20020531105059.GA720@no-support.loc> In-Reply-To: <20020531040714.G86421@root66.org> References: <20020530025817.GA4390@no-support.loc> <20020531040714.G86421@root66.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Frank, > The idea of sandboxing binaries is nice ofcourse but there is a > conceptual drawback.=20 >=20 > I think you can divide the programs you run in two groups: >=20 > the group of extra privileged programs which need that for changing > passwords or for allowing users to log into their shell (ssh etc). These type of programs are not the target of systrace. Normally you have the sources for programs that need raised privileges, so these programs can be trusted. If you expect security risks when you set up larger applications that partially need root privileges, you probably want to use jail(8) or capabilities (FreeBSD-5?). > The second group is more for trying to keep hackers from gaining local > access. The examples provided by systrace are for this group of > programs. But, the same concept applies: the binary needs to run local > and access local files and even write to files. A webbrowser still needs > to execute xpdf, the user still needs to be able to specify what program > to run for pdf's. You can limit the possibilities, but, the minimal > capabilities a program needs to function is always enough for a hacker. I think you are wrong here. If there are normal user applications that let local users compromise the system, the operating system is flawed. And even if there is any, users who attempt to compromise the system, or who behave grossly negligent regarding system security, are candidates for rmuser(8) anyway. The target of systrace is not the local user (or unwelcomed "visitor" disguised as a local user) who attempts to hack the system. This will never work, since you always can install a not-sandboxed version of the affected software with normal user privileges. systrace is not for sandboxing users but for sandboxing untrusted binaries. Such as netscape for example. Of course you never would run netscape as root. But you may even consider your "normal" user privileges as too powerful (reading PGP-Keys, tampering .rhosts or xauth, deleting you reports). > I have coded similar things for linux, the main problem is the > performance hit. For every system call, you will need to check against > the policy and systrace even provides regular expression filters etc. I don't expect a greater performance hit than ktrace. Far most system calls are read() and write() anyway. Bj=F6rn Fischer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020531105059.GA720>