box is back

box is back

[Russell Coker]

I have a new SE Linux play machine online.
ssh -p 222 root@adsl.coker.com.au
Password "1234"

IRC channel is #selinux on irc.debian.org.

It's using the latest kernel patch (compiled with GCC 3.2) and policy.

This time almost everything runs as root and almost all files and directories 
are mode 777 (some daemons change things and I've installed a few new 
packages that have resulted in some files with restrictive permissions).  
It's difficult to keep everything mode 777, but the general aim is for SE 
Linux to be the only security mechanism.

I plan to also change all daemons apart from sshd to not use other UIDs as 
well, and change the spasswd wrapper to allow you to change your password.

If anyone wants their own role so that they can avoid having lamers kill their 
shell then let me know by private email.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: box is back

[Jakob Oestergaard]

On Tue, Jan 21, 2003 at 01:59:35PM +0100, Russell Coker wrote:
> I have a new SE Linux play machine online.
> ssh -p 222 root@adsl.coker.com.au
> Password "1234"
> 

Hello Russel,

And thanks for putting the box up, for us newbies to toy with  ;)

Two (minor, allright) things that caught my attention;
1) One can see dmesg, when in the user_r role. This means, I can see
   what everyone else tried and did - which may (?) in turn reveil
   information about which files exist in places I'm not supposed to
   know about.
2) One can see all PIDs in /proc
   Yes, it's not possible to look further than that - but it still gives
   valuable information (such as, how much logging is this box likely to
   run - by looking at which low-numbered PIDs exist).  It's a fairly
   high bandwidth covert channel as well, but I guess that's not really
   a concern for the moment  ;)

I don't know if any of this is a concern - I think the dmesg one is the
serious one (if I'm not completely mistaken about it).

Anyways, Cheers!, and thanks again,

-- 
................................................................
:   jakob@unthought.net   : And I see the elder races,         :
:.........................: putrid forms of man                :
:   Jakob Østergaard      : See him rise and claim the earth,  :
:        OZ9ABN           : his downfall is at hand.           :
:.........................:............{Konkhra}...............:

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: box is back

[Russell Coker]

On Mon, 27 Jan 2003 01:56, Jakob Oestergaard wrote:
> On Tue, Jan 21, 2003 at 01:59:35PM +0100, Russell Coker wrote:
> > I have a new SE Linux play machine online.
> > ssh -p 222 root@adsl.coker.com.au
> > Password "1234"
>
> And thanks for putting the box up, for us newbies to toy with  ;)
>
> Two (minor, allright) things that caught my attention;
> 1) One can see dmesg, when in the user_r role. This means, I can see
>    what everyone else tried and did - which may (?) in turn reveil
>    information about which files exist in places I'm not supposed to
>    know about.

True.  You don't want to run a production server in this fashion.  However for 
learning purposes it's best to show such things so that you know why your 
actions were denied.

> 2) One can see all PIDs in /proc
>    Yes, it's not possible to look further than that - but it still gives
>    valuable information (such as, how much logging is this box likely to
>    run - by looking at which low-numbered PIDs exist).  It's a fairly
>    high bandwidth covert channel as well, but I guess that's not really
>    a concern for the moment  ;)

The SE project is not concerned with covert channels, if you search the NSA 
web site enough I think you'll find an official statement to this effect.

As for showing the existance of pids via "ls /proc", this is because read 
access is granted to the /proc (proc_t) directory to allow "ps ax" to show 
your processes.  SE Linux has no facilities to change readdir() in any way, 
it can only permit or deny the action on a particular directory.  This is 
probably one of the most requested features in SE Linux.  However there are 
issues.  With the design of SE Linux we don't want special case code for 
/proc (as OpenWall does).  Having this code for other directories such as 
/tmp brings issues such as the fact that if you suspect /tmp/abc exists then 
a simple creat("/tmp/abc", ...) will verify that fact, doing this properly 
would probably require multiple views of directories.

Multiple views has been discussed in the past, Steve, are there any current 
plans for implementing it?

> I don't know if any of this is a concern - I think the dmesg one is the
> serious one (if I'm not completely mistaken about it).

If you want a seriously secure SE Linux machine then you will run it with more 
default settings, so dmesg will be for sysadm_t only and you will have a 
different Unix UID for each user.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.