Re: Debian Stable server hacked
On Wed, 2003-08-13 at 21:00, valerian wrote:
> Well capabilities are only one of the things that grsec implements. You
> can also restrict a process to access various parts of the filesystem.
> There's no reason /usr/sbin/apache should have write access to /etc, so
> you just don't allow it.
Right, but we were discussing the scenario where the attacker is able to
execute another program, such as /bin/sh. In that case all is lost,
because the security is only associated with the executable pathname.
> You can also place restrictions based on resources (cpu, memory, etc.) and
> IP addresses as well.
Yeah, that stuff is somewhat useful, it would be cool to have it
separated from the other grsecurity ACL stuff.
> BTW, grsec (well gradm actually) has an intelligent self-learning mode
> that can help you to give a process only the minimum amount of access
> necessary to operate in. That way, even a novice sysadmin should be
> able to benefit from a higher level of security. And even for
> experienced sysadmins, it makes the process of setting up ACLs much less
I am still not convinced that the ACLs are a very strong security
measure. I would doubt that one could set up a system solely with
grsecurity ACLs and give people the root password, for example.
You can do that with SELinux.
So sure, it's easier to learn, but you get much less from it. Maybe
that's useful for some people.
> It actually does a very good job of stopping any kind of
> "stack-smashing" attack dead in its tracks (both the stack and heap are
> marked as non-executable). That takes care of most vulnerabilities,
> both known and unknown.
As Matt said, it is pretty well known that there are a lot of tricks for
getting around these kinds of things.
> Why even jump to conclusions like this when you admitted a few messages
> back that you don't know much about grsec? ;-(
I think I was fairly clear that I was only stating my opinion. I have
certainly been wrong in the past. And in our discussion I have learned
more about grsecurity, but nothing that I think contradicts my initial