-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The development of capabilities with Linux (and some section of POSIX, if the header is to be believed) creates an opportunity for tightening security by sandboxing daemons---imapd and popd have no legitimate use for various system calls, for example. In particular exec is fundamental to most buffer overrun shellcode and not required by many daemons. I have a preliminary patch against Linux 2.1.115 that adds CAP_SYS_EXEC and denies exec to anynone without this capability (the first test in the function). The idea behind this hack is the daemon, without the need for privileges, can drop the CAP_SYS_EXEC and force crackers to write new shellcode that sets up hosts.equiv or rhosts instead of the standard technique. It is easier to track down rsh that attempting to guess which of the "normal" connections (i.e. services one expects people to use) was the cracker. This takes modifications to not wipe out CAP_SYS_EXEC when the other capabilities are killed. Various buggy versions convince me the patch is effective (now you can log in without the shell lacking CAP_SYS_EXEC). Any comments? - -- Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems." -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBNdH8Kkekq+3VXI08EQKNxwCg0ugEneRkAyKHJiPhHh4n7CkK99gAn3c+ hmsFXJyxkwL9++nFIW+XPlrI =GYpO -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:34 PDT