Re: Lockdown... Take 2

[Sean Middleditch <elanthis awesomeplay com>]

On Tue, 2003-10-14 at 13:25, Carlos Perelló Marín wrote:
> El mar, 14-10-2003 a las 19:13, Rob Adams escribió:
> > Could we LD_PRELOAD an exec() (and system() ) wrapper for lockdown mode?
> > 
> 
> I think that we should modify the original exec() and system() calls,
> they are basic calls that any application will use.

Completely not acceptable - you'd have to modify these not only in
glibc, which I doubt you'd manage to get in upstream, but also for every
other (non Free/Open) OS GNOME supports.

If you want complete absolute system lockdown in an OS dependent way,
look at the security modules Linux/FreeBSD/others support - you can code
in any kind of access control for just about any capability you want.

> 
> but IMHO the acls are the solution here.
> 
> Of course any user will be able to jump those restrictions, just copy
> the executable with other authorized name and you can forget exec and
> system restrictions or acls.

Not if you remove executable capabilities from any mount the user has
write privileges to; basically, mount /home as noexec and only let users
use $HOME/tmp as their tmp directory (versus /tmp).

They will, in these cases tho, still have the ability to run scripts for
any interpreter they have access to; so disabling access to Python,
Perl, TCL, etc. is a necessity.  Of course, then, many of the apps you
want on the system will also be unusable.

The only solution I can think of there is back to the OS-dependent
security modules, and limiting the ability to run the interpreters if
their script argument isn't something outside of /home (including
standard input).

> 
> Also, with LD_PRELOAD the user can change it to use the original one or
> his/her modification. Also, the LD_PRELOAD var does not work with setuid
> executables (as a security protection).
> 
> Cheers.
-- 
Sean Middleditch <elanthis awesomeplay com>
AwesomePlay Productions, Inc.