Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 13 Nov 2004 04:53:03 +0300
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: iSEC advisory about binfmt_elf

On Thu, Nov 11, 2004 at 03:40:30PM -0800, Anthony D. Urso wrote:
> I have a kernel mod here:
> 
> http://killa.net/infosec/acls/
> 
> ... that allows binaries requiring RAW or PACKET sockets to be setgid
> a configurable group instead of being setuid root.
> 
> It might save you some effort.

Yes, thanks.  For traceroute, however, the solution is simpler.  We
need to move to Olaf Kirch's implementation of it:

	http://rechner.lst.de/~okir/traceroute/
	ftp://ftp.lst.de/pub/people/okir/traceroute

For ping, yes, we might have to use something like your patches...
although I'd hate to have the Owl userland _require_ (rather than just
support) patched kernels.

> On Thu, Nov 11, 2004 at 08:58:26PM +0300, Solar Designer wrote:
> > Yes, this does reduce the impact.  Especially if you ensure there're
> > no SUID root binaries; on a default install of Owl (with tcb), it's
> > sufficient to do:
> > 
> > 	control ping wheelonly
> > 	control traceroute wheelonly
> > 
> > There're no other publicly-accessible SUID-roots by default.
> > 
> > (And we're planning to deal with at least traceroute before the next
> > release such that it won't require SUID root anymore.)

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.