headers
Amon Ott | 1 Dec 2003 14:25

Re: Security patches

On Samstag, 29. November 2003 10:05, Martin Pitt wrote:
> RSBAC has a lot of nice features and seems pretty well designed, but I
> do not use it because of the following:
> 
> - Security policies (ACLs etc.) are altered by calling command line
>   programs which modify binary files. I don't quite like that, I'm
>   more fond of keeping everything in a single human-readable
>   configuration file. But that is really a matter of taste.

To make it clear: Of course, no binary executables get touched, rather the 
persistent configuration is stored in fully protected binary files, which are 
thus safe from tampering.

> - It needs an extra account ("security officer" with UID 400) which is
>   a pretty bad idea IMHO. Since once you are SO (cracked/sniffed
>   password etc.), you can alter anything which seems like a giant
>   security risk to me.

You are only talking about the default configuration here, which is meant to 
get you going. Several of the implemented security models in the RSBAC 
framework support real separation of duty, e.g. with RC model you can 
distribute administration over many different roles for many different 
accounts.

Additionally, how would you become uid 400, if you are not allowed to setuid 
to this id? Or what would it help you, if the administrative rights got 
removed? This is an important difference to root - the system starts as root, 
so there is no way to protect the uid.

Now, in contrast, think of global configuration files: Once you are allowed to
(Continue reading)

Permalink | Reply | 0 comments |
headers
Amon Ott | 1 Dec 2003 14:50

patch-2.4.23-v1.2.2.gz uploaded to /pre

Hi folks,

since 2.4.23 is out I have upgraded the v1.2.2 patch and am just uploading it 
to http://rsbac.org/pre/

After some days without bug reports, I will move the patch and the prepatched 
kernel archive to /pre and /kernels respectively.

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
Permalink | Reply | 1 comment |
headers
Amon Ott | 1 Dec 2003 16:02

Re: patch-2.4.23-v1.2.2.gz uploaded to /pre

On Montag, 1. Dezember 2003 14:50, Amon Ott wrote:
> since 2.4.23 is out I have upgraded the v1.2.2 patch and am just uploading 
it 
> to http://rsbac.org/pre/

Unfortunately, I happened to upload the wrong patch file - sorry for the 
inconvenience. The right one is now up.

The prepatched kernel (in the same dir this time to prevent premature 
downloads) was and is correct.

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
Permalink | Reply | 0 comments |
headers
Joachim Ring | 1 Dec 2003 22:08
Picon

Re: JAIL and outgoing tcp connections

On Sun, Nov 30, 2003 at 20:05:20 +0100, Amon Ott wrote:
> Yes, I know it can take some time.

but i keep learning all the time - RSBAC with all its models has so many
ways to reach a given goal, with bell-la padula we considered ourselves
lucky if we found one...

> > i was in the process of jailing an apache when i remembered that i
> > wanted this as a reverse proxy and shure enough, all attempts to proxy a
> > request were killed with a CONNECT forbidden by JAIL...
> 
> Your apache seems to connect from a not allowed IP address. Do you use 
> auto-adjust?

not really shure what you mean with auto-adjust, is this mentioned in
the text from rsbac_jail -? this is about everything i have on JAIL...

anyways, here's the line i start my apache with:

/usr/bin/rsbac_jail -loi /opt/www 192.168.1.10 $HTTPD -d
/servers/instancename -f conf/httpd.conf -k start -DSSL

> Just to be sure, please send us the command line you use to jail-start apache 
> and the log entry, when CONNECT is denied.

Mon Dec  1 09:48:58 2003 :<6>0000000377|rsbac_adf_request(): request
CONNECT, pid 18340, ppid 16764, prog_name httpd, uid 65532, target_type
NETOBJ, tid f35cdcd0 INET STREAM proto TCP local 0.0.0.0:0 remote
192.168.1.20:80, attr , value 0, result NOT_GRANTED by JAIL
(Continue reading)

Permalink | Reply | 1 comment |
headers
Amon Ott | 2 Dec 2003 08:54

Re: JAIL and outgoing tcp connections

On Montag, 1. Dezember 2003 22:08, Joachim Ring wrote:
> On Sun, Nov 30, 2003 at 20:05:20 +0100, Amon Ott wrote:
> > Yes, I know it can take some time.
> 
> but i keep learning all the time - RSBAC with all its models has so many
> ways to reach a given goal, with bell-la padula we considered ourselves
> lucky if we found one...

This is consistent with my MAC experience. :)

> > > i was in the process of jailing an apache when i remembered that i
> > > wanted this as a reverse proxy and shure enough, all attempts to proxy a
> > > request were killed with a CONNECT forbidden by JAIL...
> > 
> > Your apache seems to connect from a not allowed IP address. Do you use 
> > auto-adjust?
> 
> not really shure what you mean with auto-adjust, is this mentioned in
> the text from rsbac_jail -? this is about everything i have on JAIL...

auto-adjust is the JAIL feature, which adjusts your IP address automatically. 
It is not on by default, because it changes standard behaviour.

> anyways, here's the line i start my apache with:
> 
> /usr/bin/rsbac_jail -loi /opt/www 192.168.1.10 $HTTPD -d
> /servers/instancename -f conf/httpd.conf -k start -DSSL

Add a "-a" to the rsbac_jail options.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Amon Ott | 2 Dec 2003 09:20

Compile error in MAC / 2.4.23-v1.2.2 prepatched

Hi!

In the prepatched kernel source archive 
linux-2.4.23-rsbac-v1.2.2-bf5.tar.bz2
in /pre there was a MAC compile error. I am currently uploading the corrected 
version. Other versions and modules are not affected by this bug.

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
Permalink | Reply | 0 comments |
headers
Amon Ott | 2 Dec 2003 11:36

Local root exploit in 2.4.22 and previous

Hello folks,

there is a local root exploit present in 2.4 kernels up to 2.4.22. The 
following patch agains mm/mmap.c fixes it (offsets are from an RSBAC and PaX 
patched kernel, expect offset warning!):

--- mmap.c~     Thu Nov  6 09:24:32 2003
+++ mmap.c      Tue Dec  2 10:27:38 2003
 <at>  <at>  -1306,6 +1306,9  <at>  <at> 
        if (!len)
                return addr;

+       if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+               return -EINVAL;
+
        /*
         * mlock MCL_FUTURE?
         */

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
Permalink | Reply | 5 comments |
headers
Amon Ott | 2 Dec 2003 11:37

Re: Local root exploit in 2.4.22 and previous

On Dienstag, 2. Dezember 2003 11:36, Amon Ott wrote:
> there is a local root exploit present in 2.4 kernels up to 2.4.22. The 
> following patch agains mm/mmap.c fixes it (offsets are from an RSBAC and PaX 
> patched kernel, expect offset warning!):
> 
> --- mmap.c~     Thu Nov  6 09:24:32 2003
> +++ mmap.c      Tue Dec  2 10:27:38 2003
>  <at>  <at>  -1306,6 +1306,9  <at>  <at> 
>         if (!len)
>                 return addr;
> 
> +       if ((addr + len) > TASK_SIZE || (addr + len) < addr)
> +               return -EINVAL;
> +
>         /*
>          * mlock MCL_FUTURE?
>          */

If you want to add these three lines by hand, the function is do_brk().

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
Permalink | Reply | 0 comments |
headers
Amon Ott | 2 Dec 2003 14:15

Fwd: Re: Will 2.4.20 Source be patched for the latest kernel vulnerability?

Hi!

Just found a workaround for the 2.4 sys_brk bug. It seems sufficient to limit 
the address space to max. 2GB, e.g. using RSBAC RES module:

As secoff etc:
- start rsbac_user_menu
- Choose RES default user
- Select RES max resources
- Set AS resource e.g. to 2000000000 (2 with 9 zeroes = 2GB)

Best solution is of course the patch.

Amon.

----------  Forwarded Message  ----------

Subject: Re: Will 2.4.20 Source be patched for the latest kernel 
vulnerability?
Date: Dienstag, 2. Dezember 2003 12:52
From: Christian Horchert <chorchert <at> veedev.de>
To: debian-security <at> lists.debian.org
Cc: peace bwitchu <peacebwitchu <at> yahoo.com>

Am 02.12.2003 um 02:52 schrieb peace bwitchu:

> Will 2.4.20 Source be patched for the latest kernel
> local root vulnerability?

On SuSE-Security Roman Drahtmüller has posted a workaround
(Continue reading)

Permalink | Reply | 602 comments |
headers
Amon Ott | 2 Dec 2003 14:25

Re: Fwd: Re: Will 2.4.20 Source be patched for the latest kernel vulnerability?

On Dienstag, 2. Dezember 2003 14:15, Amon Ott wrote:
> Just found a workaround for the 2.4 sys_brk bug. It seems sufficient to 
limit 
> the address space to max. 2GB, e.g. using RSBAC RES module:
> 
> As secoff etc:
> - start rsbac_user_menu
> - Choose RES default user
> - Select RES max resources
> - Set AS resource e.g. to 2000000000 (2 with 9 zeroes = 2GB)
> 
> Best solution is of course the patch.

This workaround is also not sufficient, although it helps against some 
attacks. Please read http://isec.pl/vulnerabilities/isec-0012-do_brk.txt

It is strongly recommended to patch or to update! Please realize that this bug 
is not a root, but a kernel exploit, so there is no protection!

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
Permalink | Reply | 0 comments |

Gmane