[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Sat, 13 Nov 2004 04:53:03 +0300
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: iSEC advisory about binfmt_elf
On Thu, Nov 11, 2004 at 03:40:30PM -0800, Anthony D. Urso wrote:
> I have a kernel mod here:
>
> http://killa.net/infosec/acls/
>
> ... that allows binaries requiring RAW or PACKET sockets to be setgid
> a configurable group instead of being setuid root.
>
> It might save you some effort.
Yes, thanks. For traceroute, however, the solution is simpler. We
need to move to Olaf Kirch's implementation of it:
http://rechner.lst.de/~okir/traceroute/
ftp://ftp.lst.de/pub/people/okir/traceroute
For ping, yes, we might have to use something like your patches...
although I'd hate to have the Owl userland _require_ (rather than just
support) patched kernels.
> On Thu, Nov 11, 2004 at 08:58:26PM +0300, Solar Designer wrote:
> > Yes, this does reduce the impact. Especially if you ensure there're
> > no SUID root binaries; on a default install of Owl (with tcb), it's
> > sufficient to do:
> >
> > control ping wheelonly
> > control traceroute wheelonly
> >
> > There're no other publicly-accessible SUID-roots by default.
> >
> > (And we're planning to deal with at least traceroute before the next
> > release such that it won't require SUID root anymore.)
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux