OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Demo patch - run telnetd as non-root and chroot()'ed
From: Sean Hunter (seanuncarved.com)
Date: Fri Jul 21 2000 - 06:14:26 CDT

On Fri, Jul 21, 2000 at 10:23:15AM +0200, Olaf Kirch wrote:
> On Fri, Jul 21, 2000 at 12:14:52AM -0400, Kragen Sitaker wrote:
> > owned by group inetd. So gaining group inetd and thus having a chance
> > of becoming root by compromising a launcher would be just as hard as
> > gaining root by breaking inetd is today.
>
> No. Break one of the inetd-launched setuid foobar applications,
> become user foobar, overwrite the foobar launcher with /bin/bash.
> Reconnect to foobar socket, and inetd will give you a shell running
> group inetd.
>
> I once used to be a huge fan of this obstacle course type of security,
> too. A longish discussion with Rogier Wolff made me see the light :-)
>
> The point is that if you stretch out your security and insert more or
> less random privilege boundaries, you may end up with less security
> than before. The case of this inetd design illustrates this. The
> design is well-intentioned but the effect is that if I break fingerd,
> I don't just get nobody privilege, but I own the entire inetd process.
>
> In my opinion, any design that adds setuid bits to my system is broken.
> I'm all in favor of taking Occam's razor to daemons running as root.
> Some lend themselves very well to splitting off lesser-privileged
> portions, vice Chris' telnetd patch. Some don't, and these include
> things such as inetd and crond which need to execute programs as
> arbitrary users.

How about ditching inetd entirely and using something like tcpserver
instead? This works fine here, although I don't need to run any udp
services that aren't stand-alone daemons.

Sean