OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [RFC] environment sanitisation wrapper
From: K2 (ktwoktwo.ca)
Date: Tue May 30 2000 - 14:38:56 CDT

you could at least syslog your exceptions and check argv. (2-3 lines)

On Tue, 30 May 2000, Sean Hunter wrote:

> Hmm. I really don't think that a kitchen-sink feature set is a good
> idea at all when security is at stake. One of the great things about
> small programs is that its pretty easy for people to check them
> exhaustively and you can easily test all execution paths. If I wanted
> all of this other functionality, I would seperate it out into a few,
> smaller wrappers that each performed a single task.
>
> Sean
>
>
> On Tue, May 30, 2000 at 09:18:04AM -0700, K2 wrote:
> >
> > Here is a _HIGHLY_ configurable wrapper. It includes logging and argv
> > processing.
> >
> > http://cegt201.bradley.edu/~im14u2c/wrapper/
> >
> > ---- SNIP SNIP ----
> > Joe's Generic SUID/SGID Wrapper v2
> >
> > This wrapper is intended to protect SUID/SGID programs that may
> > either be susceptible to buffer overflows on commandline arguments, or
> > inappropriately trust certain environment variables. This wrapper
> > does not fix file race-conditions, nor does it help with other
> > bugs/problems.
> >
> > This is Version 2 of my wrapper. This version represents a
> > significant increase in functionality over the initial version. The
> > wrapper performs
> > the following functions:
> >
> > Filters the user's environment, optionally removing, checking,
> > inserting, and scrubbing variables (which you select).
> > Checks that USER/LOGNAME are set to the user's login name (as
> > reported by getpwuid()).
> > Validates argv[].
> > Launches various programs based on the basename of argv[0].
> > Logs exploit attemps via syslog(). (Only exploit attempts --
> > ie. excessive argument length, or invalid USER/LOGNAME variables -- are
> > logged. Invalid flags for a program, etc. are not logged.)
> >
> > All strings 'scrubbed' by the wrapper are length-checked, and content
> > checked. "Dangerous" characters can be either remapped to "safe"
> > characters, or flagged and logged as an exploit attempt. A "maximum
> > remapped character" threshold can be defined, for allowing a few
> > control characters through, but not enough to be dangerous.
> >
> > ---- SNIP SNIP ----
> >
> > On Sun, 28 May 2000, Sean Hunter wrote:
> >
> > > In the light of the thunderous silence that greeted my initial
> > > wrapper, I've improved it a little, and am now running it succesfully
> > > on my production hosts. See attached for the latest.
> > >
> > > Suggestions (esp for candidates for the black- and whitelists)
> > > gratefully received.
> > >
> > > Sean
> > >
> > > On Sun, May 28, 2000 at 03:39:22PM +0100, Sean Hunter wrote:
> > > > Given the recent debates over environment variables, I decided to
> > > > write a small wrapper to ensure a sane environment for important
> > > > programs. What it does is remove any unwanted env vars before
> > > > executing a given program. So, instead of running "foobar" you'll run
> > > > "safe_env foobar", or if foobar wants to see the BAZ env var, you do
> > > > "safe_env -s BAZ foobar" or something.
> > > >
> > > > Is this at all useful? If so, what environment variables do we trust
> > > > to add to this safe_builtins list? Have I done anything dumb in the
> > > > implimentation?
> > > >
> > > > Sean
> > > >
> > >
> >
>