From mtasaka at ioa.s.u-tokyo.ac.jp Wed Jan 14 16:04:33 2009 From: mtasaka at ioa.s.u-tokyo.ac.jp (Mamoru Tasaka) Date: Thu, 15 Jan 2009 01:04:33 +0900 Subject: Security reviews for new packages In-Reply-To: References: Message-ID: <496E0D11.6050805@ioa.s.u-tokyo.ac.jp> Jason L Tibbitts III wrote, at 11/12/2008 12:51 AM +9:00: > I do many package reviews, and occasionally I see a package that is > fine packaging-wise but which I don't feel comfortable approving > because I know it has security implications. One such package is > schroot, which has some pam magic to allow users to set up chroots. > https://bugzilla.redhat.com/show_bug.cgi?id=447368 > > It's quite possible that I'm simply being overly paranoid, but of > course I'm not qualified to say one way or the other. Is it possible > for someone with more knowledge in this area to take a look at the > package? What would be needed? (Perhaps a scratch build, or are the > src.rpm and spec sufficient?) > > Could we work out a simple procedure for doing this in the future? > > - J< Some days ago my potential sponsornee submitted a review request, which (according to the explanation) uses chroot() and has some setuid binaries. I guess I can "basic" reviews also required for other packages, however for security matters I really applicate any help from who knows how to deal with securitly issues. https://bugzilla.redhat.com/show_bug.cgi?id=479546 - Jailkit limits user accounts to specific files and/or commands Regards, Mamoru From tibbs at math.uh.edu Wed Jan 14 16:11:36 2009 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 14 Jan 2009 10:11:36 -0600 Subject: Security reviews for new packages In-Reply-To: <496E0D11.6050805@ioa.s.u-tokyo.ac.jp> References: <496E0D11.6050805@ioa.s.u-tokyo.ac.jp> Message-ID: >>>>> "MT" == Mamoru Tasaka writes: MT> I guess I can "basic" reviews also required for other packages, MT> however for security matters I really applicate any help from who MT> knows how to deal with securitly issues. Well, my request didn't result in any assistance, so I'm not terribly optimistic about being able to do this more generally. I'm just going to review security-sensitive packages as well as I can and make a note here when I'm doing it. If one of these packages later turns up with a major exploit and someone wants to flame me for not blocking on more serious security review, I suppose they're welcome to pound sand. - J< From rcrdrolim at gmail.com Mon Jan 26 03:14:10 2009 From: rcrdrolim at gmail.com (Ricardo Rolim) Date: Mon, 26 Jan 2009 00:14:10 -0300 Subject: Library address randomization Message-ID: <7b839ae10901251914i3e9bf946u628d7ab95dbba421@mail.gmail.com> Hi there, Apparently I'm not getting library address randomization for any programs (compiled or not as PIE). Whereas the binary itself, stack and heap are randomly getting their addresses changed from one execution to the next, the library stands still at a predictable location. Strangely enough I've got the expected results out of Ubuntu 8.10. Here's one example: [ricardo at localhost ~]$ cat /proc/sys/kernel/randomize_va_space 2 [ricardo at localhost ~]$ cat /proc/sys/kernel/exec-shield 1 [ricardo at localhost ~]$ echo 'int main(){}' > dummy.c [ricardo at localhost ~]$ gcc -fpie -pie -o dummy dummy.c [ricardo at localhost ~]$ ldd dummy linux-gate.so.1 => (0x00130000) libc.so.6 => /lib/libc.so.6 (0x00133000) /lib/ld-linux.so.2 (0x00110000) [ricardo at localhost ~]$ ldd dummy linux-gate.so.1 => (0x00130000) libc.so.6 => /lib/libc.so.6 (0x00133000) /lib/ld-linux.so.2 (0x00110000) Am I missing something? This is the third mailing list that I'm trying. Thanks a lot :) From lists at michel-messerschmidt.de Mon Jan 26 19:33:43 2009 From: lists at michel-messerschmidt.de (Michel Messerschmidt) Date: Mon, 26 Jan 2009 20:33:43 +0100 Subject: Library address randomization In-Reply-To: <7b839ae10901251914i3e9bf946u628d7ab95dbba421@mail.gmail.com> References: <7b839ae10901251914i3e9bf946u628d7ab95dbba421@mail.gmail.com> Message-ID: <20090126193343.GD5712@koshi.matrix> On Mon, Jan 26, 2009 at 12:14:10AM -0300, Ricardo Rolim wrote: > Am I missing something? This is the third mailing list that I'm > trying. Thanks a lot :) Have you tried adding vdso=1 as kernel boot parameter ? See Documentation/kernel-parameters.txt in the kernel source for details. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From peak at argo.troja.mff.cuni.cz Wed Jan 28 17:21:10 2009 From: peak at argo.troja.mff.cuni.cz (Pavel Kankovsky) Date: Wed, 28 Jan 2009 18:21:10 +0100 (CET) Subject: Library address randomization In-Reply-To: <7b839ae10901251914i3e9bf946u628d7ab95dbba421@mail.gmail.com> Message-ID: <20090128181948.31F4.0@paddy.troja.mff.cuni.cz> On Mon, 26 Jan 2009, Ricardo Rolim wrote: > Apparently I'm not getting library address randomization for any > programs (compiled or not as PIE). Whereas the binary itself, stack > and heap are randomly getting their addresses changed from one > execution to the next, the library stands still at a predictable > location. Is sysctl kernel.randomize_va_space set to 1? Are the libraries prelinked? Have you tried prelink -u? -- Pavel Kankovsky aka Peak / Jeremiah 9:21 \ "For death is come up into our MS Windows(tm)..." \ 21th century edition / From davej at redhat.com Wed Jan 28 18:06:28 2009 From: davej at redhat.com (Dave Jones) Date: Wed, 28 Jan 2009 13:06:28 -0500 Subject: Library address randomization In-Reply-To: <7b839ae10901251914i3e9bf946u628d7ab95dbba421@mail.gmail.com> References: <7b839ae10901251914i3e9bf946u628d7ab95dbba421@mail.gmail.com> Message-ID: <20090128180628.GA2036@redhat.com> On Mon, Jan 26, 2009 at 12:14:10AM -0300, Ricardo Rolim wrote: > Hi there, > > Apparently I'm not getting library address randomization for any > programs (compiled or not as PIE). Whereas the binary itself, stack > and heap are randomly getting their addresses changed from one > execution to the next, the library stands still at a predictable > location. Strangely enough I've got the expected results out of Ubuntu > 8.10. Here's one example: > > [ricardo at localhost ~]$ cat /proc/sys/kernel/randomize_va_space > 2 > [ricardo at localhost ~]$ cat /proc/sys/kernel/exec-shield > 1 > [ricardo at localhost ~]$ echo 'int main(){}' > dummy.c > [ricardo at localhost ~]$ gcc -fpie -pie -o dummy dummy.c > [ricardo at localhost ~]$ ldd dummy > linux-gate.so.1 => (0x00130000) > libc.so.6 => /lib/libc.so.6 (0x00133000) > /lib/ld-linux.so.2 (0x00110000) > [ricardo at localhost ~]$ ldd dummy > linux-gate.so.1 => (0x00130000) > libc.so.6 => /lib/libc.so.6 (0x00133000) > /lib/ld-linux.so.2 (0x00110000) What kernel version are you running? Kyle fixed up some of this code last week. Dave -- http://www.codemonkey.org.uk From rcrdrolim at gmail.com Wed Jan 28 22:19:29 2009 From: rcrdrolim at gmail.com (Ricardo Rolim) Date: Wed, 28 Jan 2009 19:19:29 -0300 Subject: Library address randomization In-Reply-To: <20090128180628.GA2036@redhat.com> References: <7b839ae10901251914i3e9bf946u628d7ab95dbba421@mail.gmail.com> <20090128180628.GA2036@redhat.com> Message-ID: <459974dc0901281419m101bfd7lbf815590167fd55e@mail.gmail.com> Hey Dave (and Kyle), thank you very much! The new kernel (2.6.27.12-170.2.5.fc10.i686) fixed up that problem. PIEs are again getting their libraries addresses randomized no matter if these libraries are prelinked or not; and non-PIEs are getting these libraries randomized when they are not prelinked. Best regards, Ricardo From hybridjeffbarnes at sbcglobal.net Thu Jan 29 19:26:24 2009 From: hybridjeffbarnes at sbcglobal.net (Jeff Barnes) Date: Thu, 29 Jan 2009 13:26:24 -0600 Subject: Security outside of SElinux? Message-ID: <1233257184.8549.10.camel@livingroom> Are there commands with this functionality in Fedora? If not what would it take to make them happen in general? Reasons would be ease of security application and another reason is that Enterprise has restrictions on altering SElinux policies which effect warranty. If this functionality were a logic binary AND with SELinux then we would not ever need to change default SElinux policies. ________________________________________________________________ /sbin/PORTS_ALLOW_FOR_USER username list of ports /sbin/PORTS_DENY_FOR_USER username list of ports /sbin/LIST_ALLOWED_PORTS_FOR_USER username /sbin/PORTS_ALLOW_FOR_FILE filename list of ports /sbin/PORTS_DENY_FOR_FILE filename list of ports /sbin/LIST_ALLOWED_PORTS_FOR_FILE filename /sbin/PORTS_ALLOW_FOR_PROCESS processID list of ports /sbin/PORTS_DENY_FOR_PROCESS processID list of ports /sbin/LIST_ALLOWED_PORTS_FOR_PROCESS processID ___________________________________________________________________________ /sbin/PRIVILEGES_ALLOW_FOR_USER username list_of_privileges_or_levels /sbin/PRIVILEGES_DENY_FOR_USER username list_of_privileges_or_levels /sbin/LIST_ALLOWED_PRIVS_FOR_USER username list_of_privileges_or_levels /sbin/PRIVILEGES_ALLOW_FOR_FILE filename list_of_privileges /sbin/PRIVILEGES_DENY_FOR_FILE filename list_or_privileges /sbin/LIST_ALLOWED_PRIVILIGES_FOR_FILE filename /sbin/PRIVILEGES_ALLOW_FOR_PROCESS processnameID list_of_privileges /sbin/PRIVILEGES_DENY_FOR_PROCESS processnameID list_of_privileges /sbin/LIST_ALLOWED_PRIVILEGES_FOR_PROCESS processID _____________________________________________________________________________ From bruno at wolff.to Thu Jan 29 21:18:09 2009 From: bruno at wolff.to (Bruno Wolff III) Date: Thu, 29 Jan 2009 15:18:09 -0600 Subject: Security outside of SElinux? In-Reply-To: <1233257184.8549.10.camel@livingroom> References: <1233257184.8549.10.camel@livingroom> Message-ID: <20090129211809.GC16582@wolff.to> On Thu, Jan 29, 2009 at 13:26:24 -0600, Jeff Barnes wrote: > Are there commands with this functionality in Fedora? > If not what would it take to make them happen in general? > Reasons would be ease of security application and another reason is > that Enterprise has restrictions on altering SElinux policies > which effect warranty. If this functionality were a logic binary AND > with SELinux then we would not ever need to change default SElinux > policies. iptables has an extension that allows you to filter on uids or gids. For processes or files I think you want to use selinux. > ________________________________________________________________ > /sbin/PORTS_ALLOW_FOR_USER username list of ports > /sbin/PORTS_DENY_FOR_USER username list of ports > /sbin/LIST_ALLOWED_PORTS_FOR_USER username > > /sbin/PORTS_ALLOW_FOR_FILE filename list of ports > /sbin/PORTS_DENY_FOR_FILE filename list of ports > /sbin/LIST_ALLOWED_PORTS_FOR_FILE filename > > /sbin/PORTS_ALLOW_FOR_PROCESS processID list of ports > /sbin/PORTS_DENY_FOR_PROCESS processID list of ports > /sbin/LIST_ALLOWED_PORTS_FOR_PROCESS processID > ___________________________________________________________________________ > /sbin/PRIVILEGES_ALLOW_FOR_USER username list_of_privileges_or_levels > /sbin/PRIVILEGES_DENY_FOR_USER username list_of_privileges_or_levels > /sbin/LIST_ALLOWED_PRIVS_FOR_USER username list_of_privileges_or_levels > > /sbin/PRIVILEGES_ALLOW_FOR_FILE filename list_of_privileges > /sbin/PRIVILEGES_DENY_FOR_FILE filename list_or_privileges > /sbin/LIST_ALLOWED_PRIVILIGES_FOR_FILE filename > > /sbin/PRIVILEGES_ALLOW_FOR_PROCESS processnameID list_of_privileges > /sbin/PRIVILEGES_DENY_FOR_PROCESS processnameID list_of_privileges > /sbin/LIST_ALLOWED_PRIVILEGES_FOR_PROCESS processID > _____________________________________________________________________________