|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [RFC] environment sanitisation wrapper
From: Sean Hunter (sean
uncarved.com)Date: Tue May 30 2000 - 18:39:13 CDT
- Next message: Kurt Seifried: "Re: [RFC] environment sanitisation wrapper"
- Previous message: Kev: "Re: Here's another glibc env. var."
- Next in thread: Kurt Seifried: "Re: [RFC] environment sanitisation wrapper"
- Maybe reply: Sean Hunter: "Re: [RFC] environment sanitisation wrapper"
- Reply: Kurt Seifried: "Re: [RFC] environment sanitisation wrapper"
- Reply: Jim Breton: "syslogd replacements"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I don't like syslog at all, and want to replace it with something
sensible. (although the syslogd man page is good for a laugh[1]) I
would rather use stdout and stderr and let the user pipe the output to
syslog, a log file or wherever else they want to.
I'm also not convinced you actually gain a whole lot by checking argv.
I'm open to correction on that point, though, and if persuaded might
make a safe_agv wrapper that did this. 8^)
Thanks you very much for your comments though. I'm glad you've taken
the time to look at what I've done. I'm very grateful that the
coolness of unix means that we can do similar things in very different
ways.
Sean
[1]grep for SECURITY THREATS
On Tue, May 30, 2000 at 12:38:56PM -0700, K2 wrote:
> you could at least syslog your exceptions and check argv. (2-3 lines)
>
> On Tue, 30 May 2000, Sean Hunter wrote:
>
> > Hmm. I really don't think that a kitchen-sink feature set is a good
> > idea at all when security is at stake. One of the great things about
> > small programs is that its pretty easy for people to check them
> > exhaustively and you can easily test all execution paths. If I wanted
> > all of this other functionality, I would seperate it out into a few,
> > smaller wrappers that each performed a single task.
> >
> > Sean
> >
> >
> > On Tue, May 30, 2000 at 09:18:04AM -0700, K2 wrote:
> > >
> > > Here is a _HIGHLY_ configurable wrapper. It includes logging and argv
> > > processing.
> > >
> > > http://cegt201.bradley.edu/~im14u2c/wrapper/
> > >
> > > ---- SNIP SNIP ----
> > > Joe's Generic SUID/SGID Wrapper v2
> > >
> > > This wrapper is intended to protect SUID/SGID programs that may
> > > either be susceptible to buffer overflows on commandline arguments, or
> > > inappropriately trust certain environment variables. This wrapper
> > > does not fix file race-conditions, nor does it help with other
> > > bugs/problems.
> > >
> > > This is Version 2 of my wrapper. This version represents a
> > > significant increase in functionality over the initial version. The
> > > wrapper performs
> > > the following functions:
> > >
> > > Filters the user's environment, optionally removing, checking,
> > > inserting, and scrubbing variables (which you select).
> > > Checks that USER/LOGNAME are set to the user's login name (as
> > > reported by getpwuid()).
> > > Validates argv[].
> > > Launches various programs based on the basename of argv[0].
> > > Logs exploit attemps via syslog(). (Only exploit attempts --
> > > ie. excessive argument length, or invalid USER/LOGNAME variables -- are
> > > logged. Invalid flags for a program, etc. are not logged.)
> > >
> > > All strings 'scrubbed' by the wrapper are length-checked, and content
> > > checked. "Dangerous" characters can be either remapped to "safe"
> > > characters, or flagged and logged as an exploit attempt. A "maximum
> > > remapped character" threshold can be defined, for allowing a few
> > > control characters through, but not enough to be dangerous.
> > >
> > > ---- SNIP SNIP ----
> > >
> > > On Sun, 28 May 2000, Sean Hunter wrote:
> > >
> > > > In the light of the thunderous silence that greeted my initial
> > > > wrapper, I've improved it a little, and am now running it succesfully
> > > > on my production hosts. See attached for the latest.
> > > >
> > > > Suggestions (esp for candidates for the black- and whitelists)
> > > > gratefully received.
> > > >
> > > > Sean
> > > >
> > > > On Sun, May 28, 2000 at 03:39:22PM +0100, Sean Hunter wrote:
> > > > > Given the recent debates over environment variables, I decided to
> > > > > write a small wrapper to ensure a sane environment for important
> > > > > programs. What it does is remove any unwanted env vars before
> > > > > executing a given program. So, instead of running "foobar" you'll run
> > > > > "safe_env foobar", or if foobar wants to see the BAZ env var, you do
> > > > > "safe_env -s BAZ foobar" or something.
> > > > >
> > > > > Is this at all useful? If so, what environment variables do we trust
> > > > > to add to this safe_builtins list? Have I done anything dumb in the
> > > > > implimentation?
> > > > >
> > > > > Sean
> > > > >
> > > >
> > >
> >
>
- Next message: Kurt Seifried: "Re: [RFC] environment sanitisation wrapper"
- Previous message: Kev: "Re: Here's another glibc env. var."
- Next in thread: Kurt Seifried: "Re: [RFC] environment sanitisation wrapper"
- Maybe reply: Sean Hunter: "Re: [RFC] environment sanitisation wrapper"
- Reply: Kurt Seifried: "Re: [RFC] environment sanitisation wrapper"
- Reply: Jim Breton: "syslogd replacements"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]