Re: A few thoughts..

From: H. S. (security_at_revolutionsp.com)
Date: 03/30/05

  • Next message: mohamed aslan: "Re: organization" 
    Date: Wed, 30 Mar 2005 11:06:53 -0600 (CST)
To: freebsd-hackers@freebsd.org

    Thanks for all the replies, I'm considering mounting /home noexec, and
    installing the most common stuff system-wide, so it can be executed by any
    user.

    As I stated previously, I'm not much of a C programmer, but I can do some
    coding. I've been thinking into changing the core of the system a bit to
    return errors if some information is accessed by a normal user. I'd like
    to know if getuid() would work that deep in the system? And how can I
    register sysctl mibs in the kernel ?

    For example, say I wanted to create a kern.disclosure.no_dmesg ; Assuming
    I could find the piece(s) of code that dmesg (talking dmesg here, but I'll
    try to change some other stuff too) ultimately goes to, how would I
    compare the sysctl kern.disclosure.no_dmesg to 1 or 0 ? A good paper on
    this would be a very nice lead.

    Thanks!

    >
    >> -----BEGIN PGP SIGNED MESSAGE-----
    >> Hash: SHA1
    >>
    >> On Tue, 29 Mar 2005, H. S. wrote:
    >>
    >>>> If you don't want users to run random binaries put /home and /tmp on
    >>>> their own partitions and mount them noexec. Also note that users can
    >>>> still read that info by accessing /var/log/messages and /var/run/
    >>>> dmesg.boot
    >>>>
    >>>
    >>> I do want them to run random binaries, such as psybncs, eggdrops,
    >>> shoutcast servers, etc. Mounting /home noexec isn't an option, /tmp is
    >>> noexec tho.
    >>
    >> On another hand, you could provide safe and secure system provided
    >> binaries that they would have to use instead of compiling their own.
    >> which would solve the case and ultimately when upgrading the package
    >> provided to them would upgrade all the users at once without you
    >> having to worry about insecurities being scattered throughout your
    >> system. Now I could see if this was a development server then you
    >> obviously would want to allow your users to do such a thing but since
    >> you mentioned things like psybnc, shoutcast, etc... the thought to me
    >> doesnt resemble a development server. So my suggestion would be
    >> provide the software they need on a as-is-basis and take requests and
    >> mount the user partition with the [noexec] option and tune sysctl
    >> and operate in a secure level + chmod/chflag the proper files and
    >> make 1 jail for the whole user based part of the system for all that
    >> to run out of.
    >>
    >> Best of luck,
    >> --c0ldbyte
    >>
    >>
    >> -----BEGIN PGP SIGNATURE-----
    >> Version: GnuPG v1.4.0 (FreeBSD)
    >>
    >> iD8DBQFCSfZKsmFQuvffl58RAsw0AJkB6cLDGL4dsY9FAGrKZatn8+MotQCfeEX3
    >> 5R8zcR7nyVJQL1dgub0/nj0=
    >> =h8hs
    >> -----END PGP SIGNATURE-----
    >> _______________________________________________
    >> freebsd-hackers@freebsd.org mailing list
    >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
    >> To unsubscribe, send any mail to
    >> "freebsd-hackers-unsubscribe@freebsd.org"
    >>
    >
    >

    _______________________________________________
    freebsd-hackers@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
    To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

  • Next message: mohamed aslan: "Re: organization"
    • Quantcast