Domain: bpfh.net
Stories and comments across the archive that link to bpfh.net.
Comments · 22
-
Re:Why use FreeBSD when you can use Linux?
My thoughts on FreeBSD vs Linux... FreeBSD chroot jails are more secure than Linux chroot jails. Even says so in the Ubuntu man pages: http://manpages.ubuntu.com/manpages/jaunty/man2/chroot.2.html
http://www.bpfh.net/simes/computing/chroot-break.htmlFreeBSD also has kernel-level virtualized jails which are far more secure than chroot jails, and a virtual network stack for jails is right around the corner (vimage/vnet). Then there's also the kernel securelevel, extended attributes/ACLs, TrustedBSD/MAC, and pf/ALTQ which is far superior to iptables. BSD has really been leading Linux in the area of security--Linux is more focused on spreading GPL and getting the media wheel on your USB keyboard to work.
I would say that Linux has much more diverse hardware support and more complete support for cutting-edge whiz-bangs and desktop gadgets like sound cards and webcams--although current FreeBSD is not too far behind. Meanwhile, FreeBSD is focused on powerful features for administration and for servers, such as jails, pf, ZFS, netgraph, GEOM framework, HAST replication, CARP failover, consistent integration of kernel and userland, consistent interface for startup scripts, the ports system and repository, etc.
Of course FreeBSD has the better license without question.
I think the clear choice for security and network related infrastructure is always a BSD box. The only times I choose Linux are when I'm forced to, such as installing to embedded hardware or using as a desktop/workstation.
-
Station wagon full of tapes
-
Re:Japan Broadband = Dense population
Bah humbug. I can't see how to PM @
/. - So I'll just reply here. BSD appears to be different, but on most unices http://www.bpfh.net/simes/computing/chroot-break.html -
Re:And I would pay for that.
How much licensing revenue do content producers get per user per month from all radio stations radio listened to by the upper 1/3 of listeners + amount of revenue from purchased CD's, discounting production costs?
Seems to me like they should be able to break down using surveys how much money they should charge.
Another possibility is that instead of p2p or CDs, ship hard drives back & forth to users. Update whats on the hard drive with related songs. This falls under the category of "Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway"
See the hilarious Mad Max version at the bottom of http://www.bpfh.net/sysadmin/never-underestimate-bandwidth.html -
securing chroots via setuid (with only 1 "e")
If you execute chroot() and then a seteuid(uid) where uid>0, then you prevent a hole/bug in your program from being exploited in a way that will allow file access/execution outside the chroot. That *is* a security advantage.
According to the page about breaking out of chroot linked from the discussion, the seteuid() is not effective because the process still has a real UID of 0 and can call seteuid(0) at any time.
So don't use seteuid--use setuid (without the "e"); this is what the article that you just cited indicates:
If this [setuid to non-root] is done there should be no way to gain root privilages unless an attacker uses something within the chroot() jail to gain those privilages.
-
Re:Are they serious?If you execute chroot() and then a seteuid(uid) where uid>0, then you prevent a hole/bug in your program from being exploited in a way that will allow file access/execution outside the chroot. That *is* a security advantage.
According to the page about breaking out of chroot linked from the discussion, the seteuid() is not effective because the process still has a real UID of 0 and can call seteuid(0) at any time.
You can create a chroot without any directories with mode 7771 privileges (a la
I'd agree, but it sounds like doing this is nearly impossible in practice. Others in the linked article suggested jail() on *BSD or vserver on Linux are tools actually designed for security even when privilege escalation is possible. /tmp), that is free of any setuid binaries, and without "useful" utilities like wget or curl that can make exploiting the system child's play. If your program runs inside of a chroot as a non-root user, and your chroot has no setuid binaries, and your kernel has no privilege escalation vulns, then you can be reasonably sure that nobody will break the chroot or achieve privilege escalation. -
Duh.
This isn't news.
For those of you who weren't aware how easy it can be to break out of most chroots, here's a good description of a common process:
http://www.bpfh.net/simes/computing/chroot-break.html -
Oblig.
Never underestimate the bandwidth of a station wagon...
Still very much applies today.
Ryan Fenton -
Re:Remote, what about stealth installations
If you have root priviliges, chroot is pointless. You can easily break out.
-
I can beat thatAdd this to your zonefile, nudge the counter and refresh:
* IN A your.ip.addr.ess
Add this to your Apache config file:UseCanonicalName Off
Now all you need to do to add a new web service is make a new folder at
RewriteEngine on
RewriteMap lowercase int:tolower
RewriteRule ^(.+)$ ${tolower:%{SERVER_NAME}}$1
RewriteRule ^w+\.(.+)$ $1
RewriteRule ^(.+)$ /var/www/virtual/$1 [L] /var/www/virtual/name.of.server and drop the website into it. Hooh, that's tough!
The rewrite also strips off leading w's-plus-dot, so http://www.fredsden.com/, http://ww.fredsden.com/ and http://fredsden.com/ all map to /var/www/virtual/fredsden.com (as a side-effect, visitors who mis-type one too many or too few w's still get served a page).
I'd pay good money to see you implement that in any type of Microsoft GUI tool, other than as a special case (i.e. a facility which was coded into to a GUI to do specifically this one task).
It's a very simple change to do stuff like put the main website in /var/www/virtual/name.of.server and assume everything else is a username, to be fetched from /var/www/users/name.of.server/$USER
Also, if some MCSE hands you a website that's case-blind (e.g. links in the text say Data/ThisFile.htm but the file is called Data/thisfile.HTM) you can use a find-plus-tr one-line script to lowercase all of the actual filenames in the file tree, then change the second-last RewriteRule to also lowercase each incoming HTTP request (only up to the first "?" if there is one) to match. -
Re:Is it an eeevil slogan?
Well, the whole UUCP mechanism was developed over time. Allowing dial-up access between machines to transport big bunchlets of email and what-not.
But in the early days, most UNIX software was transported around on tape. Proverbally in the back of station wagons. -
A true Moron Confused by Sun Equipment
From Moe and Curly's Software Emporium no less!
-
Re:process privs
No, Windows doesn't have chroot(), largely because of the legacy of drive letters, which means we don't have a single controllable root on Windows.
But chroot is really just a nifty short cut for restricting file system access - meaning you're probably using root for your process - bad. And it certainly isn't unbreakable if you're using root for your processes. ACLs can achieve the same effect, but with more work for the Admin.
I agree that 98% of Windows boxes are not adequately secured. My guess is that 85% of Linux boxes are also not adequately secured. I think XP SP2 and Server 2003 are great steps in the right direction toward good default configurations. I think Automatic Windows Update is a huge part of the solution. I think Windows app developers need to be flogged when Admin rights are required to run their app.
-
Re:Risk assessment
That's why I said "or your favorite buffer overflow exploit"; I just picked HTTP for an example because it's one of the better-known cases. My point is that "local" vulnerabilities become remote ones when paired with buffer overflows in programs accepting remote input.
Besides, you can break out of a chroot jail.
-
It's "A station wagon full of..."
["Never underestimate the bandwidth of a vanload of tapes barrelling down the highway"]
I've seen this a couple times before, but Google seems to come up with nothing useful for it.That's because the original is "station wagon" (or "stationwagon"). Another common variant is "a 747 full of...". See e.g. this story
And no, it's certainly not Tannenbaum 1996; it was (IIRC) mentioned in Bentley's "Programming Pearls" CACM column/book in the 1980s. It's unclear that anything original can be attributed to Tannenbaum (okay, that's flamebait, but Tannenbaum irritates me).
-
BPFH - "Windows 98 ate my wife's PC"
http://www.bpfh.net/microsoft/win98-ate-pc/For all the pictures of burnt-out and gunk-filled hardware you could ever want.
-
site is /.'ed
So as I can't comment on the article itself I thought that it might be mentioning that chroots are good but no infalliable. If someone can get root permission inside a chroot you can break out
Rus -
Re:Well...
-
chmod is nice...But, it's not perfect. As stated by another user, it's the equivilant of putting 10 padlocks on the door, but leaving the window wide open. Here is an article about how easy it is to break chroot in a CGI based server.
So, while chroot may be good, do not rely on it soley for security.
-
That's neat
Though it seems like a virtual system, a chroot cell is not totally virtual, and there can still be plenty of comprosmises.
Like usual, all you need is access to a compiler, and you can make a jailbreak. In fact, there's a whole guide to it here:
http://www.bpfh.net/simes/computing/chroot-break.h tml
If the whole jail resided in its own actual virtual Linux machine, where nasty things cannot break the account, just the session, they would be quite a bit more effective. -
Really old quote
"Never underestimate the bandwidth of a station wagon full of tapes" - SysAdmin humor
-
Re:MSCE what it really means.
I heard somewhere that MCSE was an abbreviation for Minesweeper Consultant and Solitaire Expert.
There are a few others here as well.
Definitions of MCSE