Outstanding issues
Eric Pancer
eric-list-argus at catastrophe.net
Mon Sep 25 11:30:27 EDT 2006
On Mon, 2006-09-25 at 11:11:15 -0400, Carter Bullard wrote...
> chroot() approaches assume that privileges are used only at
> initialization. What if you need to regain privileges at a later
> time?
Hello Carter, et al,
Long time away from the list for me. We evaluated Arbor's PeakFlow, but then
turned it down as it was becoming too security-centric and not just a flow
tool.
> Are there discussions as to how to approach this? We can't go back,
> and any strategy that would allows us to do so, even virtually,
> is open for exploitation, as the markov analysis will show.
> I can live with reality, whatever the outcome, but if someone has
> an acceptable approach that would allow us to get back privileges
> temporarily, when chroot is used, I'd like to know about it.
I can tell you this: OpenBSD has figured out how to do privilege-separation
and privilege-revocation, and it seems they have a good structure to use.
Niels Provos did a lot of the work back in 2002. Check out these slides:
<http://www.citi.umich.edu/u/provos/ssh/privsep.html>
They're just using a model in which the parent process handles all the tasks
that require elevated privileges, and hands everything off to the child
by means of a pipe.
tcpdump on OpenBSD also is using privsep, and it seems that argus could take
advantage of this too, since all argus really needs to do is open up a bpf
device. The source for this is available here under a BSD-license.
<http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/tcpdump/>
Here's some other interesting information (speaking of which, wasn't David
Brumley on this mailing list at one point?):
<http://www.cs.cmu.edu/~dbrumley/pubs/privtrans.pdf>
Anyway - I think it's a great idea if it can be done with small effort.
- Eric
More information about the argus
mailing list