On 07/07/11 20:42, Ilya Bakulin wrote:
Hi hackers,
As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
system, I want to ask you, which applications in the base system should
receive sandboxing support.
So far, the following applications were sandboxed during initial
Capsicum research project:
sshd: critical system service run by root;
gzip: utility that operates with potentially buggy compression code
tcpdump: contains complex packet-parsing code, run by root;
I have added sandboxing to syslogd, because this is also a critical
system service run by root.
I'm also going to add sandboxing to xz (compression algorithms) and ntpd
(critical system service run by root).
The question is: which applications should also be processed? I think
that the most wanted candidates are SUID programs and/or popular network
daemons.
But looking at gzip example I also think about text-processing tools in
general.
At the moment I prefer not to focus on applications that are used only
on desktop system -- primary usage of FreeBSD is ultra-reliable serving
platform, although iXSystems guys may correct me :-)
I'm not too familiar with the operation of capsicum, but in general
anything with untrusted (including in many cases user) input can be
worth sandboxing, especially in a server environment. Obviously server
processes themselves are often worth restricting to things like jails or
vms etc., so sandboxing could be an alternative.
I can also see cases where interpreters, database server software, and
file viewers/editors could be sandboxed to prevent exploits from
"running away" with the system via the exploited process. Especially in
server environment, 'sudo less /var/log/<evillogwithlessexploit>' and
kablooey. Admins may have to run "user" software, or non suid,
executables which nonetheless receive the admin's elevated permissions.
Call them usid, user set id, I suppose. Not the best, but it happens,
especially when things need to work an hour ago.
A few ideas along those lines:
-any server software
-any interpreter (perl, python, etc)?
-any shell?...
minicom
wget
curl
netcat
links/lynx
Can it be made a switch on sudo?
sudo --sandbox=someprofile,option tcpdump -tti pflog0
Hopefully I'm not missing the boat and these ideas are applicable :)
Matt
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
