Re: Legitimate Question

• Previous message: Valdis.Kletnieksat_private: "Re: Legitimate Question"
• In reply to: Kurt Seifried: "Re: Legitimate Question"
• Next in thread: Crispin Cowan: "Re: Legitimate Question"
• Next in thread: Seth Arnold: "Re: Legitimate Question"
• Reply: Crispin Cowan: "Re: Legitimate Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kurt Seifried wrote:

>This raises another point of interest. Many applications do unexpected
>things, like accessing low (i.e. <1024) port numbers for no apperent reason,
>friend of mine mentioned this after playing with gnome/etc and seeing it try
>to bind all sorts of weird ports. Obviously if a system admin is loading
>things like NTP it is quite simple (well, it should be =) to modify system
>policies to allow a process/username/whatever to adjust the system time as
>needed. On the other hand When I see things like Gnome trying to grab <1024
>ports I think it may be a good idea to block that type of access. Generally
>speaking any program that needs to do privileged thigns such as setting
>system time, binding to ports <1024, etc will be documented as needing such,
>and in any even you should have an error log to check when it doesn't work.
>
This observation leads me in several different directions:

    * LSM is far more likely to be deployed on servers than on desktops.
          * Servers are more sensitive to security intrusions.
          * Desktops have more crap on them, and thus are harder to secure.
          * On average, server admins are more concerned and clueful of
            security than desktop users.
    * "Bitch mode" features (as found in SubDomain, SELinux, etc.) are a
      great way to detect that your nasty open sores :-) desktop
      software like GNOME is opening waay too many ports. It thus makes
      a helpful security audit tool.
    * The honeypot-like features that we did *not* choose to support in
      LSM 1 would enable cool stuff like faking out the low ports that
      GNOME wants. This would help in that you could run your GNOME
      skank ware :-) in a kind of a sandbox where it *thinks* it is
      getting access to low ports, but really isn't. This gives the
      desktop user a more pleasant option than the two extremes of "run
      it and be vulnerable" or "give up using GNOME". We should add this
      to the bag of rationalizations for LSM 2 (in addition to audit,
      honeypots, and secure virtual servers).


>Otherwise what is the point of having LSM at all if we start allowing apps
>full system access (i.e. root access as is currently implemented on most
>stock unix systems)?
>
Don't run GNOME on your servers :-)

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

        The Olympic Games: A Century of Corruption and Graft
	     The FIS: Crushing the soul of snowboarding


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: Legitimate Question"
• Previous message: Valdis.Kletnieksat_private: "Re: Legitimate Question"
• In reply to: Kurt Seifried: "Re: Legitimate Question"
• Next in thread: Crispin Cowan: "Re: Legitimate Question"
• Next in thread: Seth Arnold: "Re: Legitimate Question"
• Reply: Crispin Cowan: "Re: Legitimate Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 20:02:31 PST