Re: Tightening up SunOS 5.4 (was Re: Hardened OS)

[proff () suburbia net (Julian Assange)]

> If anyone got on a firewall setup like this it is simple to compile a binary
> offsite to suit the architecture, static if necessary, and import it, run it
> and then have that binary act as a personal ftp/shell/port login process.
>
> Have a nice day
> Mark
> mark () lochard com au

I modified our kernel to do trust circles (mainly mods to exec.c) quite
some time ago. To put it simply, only non group and world writable
binaries owned by "trusted" users (root, etc) in trusted user owned
directories can be executed . This goes for #!  expansion as well.  If
however a user is in the "exec" group then they can execute their own
binaries. Bypassing this system requires the privilages of the trusted
user or root. Using a flaw to create, or finding a group or world
writeable file owned by a trusted user and placing your code into it
will not work, unless you can turn off the group/world write permission
afterwards. Attempted trust violations are klogged.

Every time the latest IFS (etc) style "execute my code now", kernel call bug
or race condition is found, I amuse myself by watching the frustration of
people trying to exploit it.

The reason the directory in which the trusted binary lays must also be trusted
is that one can do things like:

$ cd /tmp
$ ln /sbin/reboot usr
$ export IFS=/
$ neil+karl_food -y

--
+----------------------------------+-----------------------------------------+
|Julian Assange                    | "if you think the United  States has    |
|FAX: +61-3-9819-9066              |  has stood still, who built the largest |
|EMAIL: proff () suburbia net         |  shopping centre in the world?" - Nixon |
+----------------------------------+-----------------------------------------+