[rsbac] Re: rsbac 1.2.3

Amon Ott ao at rsbac.org
Tue Jun 29 18:31:52 CEST 2004 

On Dienstag, 29. Juni 2004 16:35, spender at grsecurity.net wrote:
> > "Them" seems to be Albeiro, who already answered himself. Since I never 
> > have been personally notified by you and never saw these instructions, 
I 
> > will not answer to them.
> 
> So because I didn't tell you directly, but made all information public
> (it was even posted to the grsecurity forums), you refuse to give
> credit to the person that actually found these vulnerabilities for you,
> when you knew this is where the information and code came from?

Sorry for being too ignorant to read GRSecurity forums when looking for 
RSBAC bug reports. OTOH, you have been quite as ignorant by missing the 
fact that I indeed have given you credit on the running RSBAC to-do list 
at http://zhware.ath.cx/cgi-bin/oswiki.cgi/RsbacTodo. You should have 
found that before. X-)

> BTW it is clear that you simply ran my regression tests and fixed only
> the things that said failed, without even investigating your code 
further.
> I just downloaded RSBAC 1.2.3 an hour or so ago and with a modified test
> was able to confirm that two vulnerabilities still exist within your
> JAIL code that allow a root user to break out of the jail completely.

I am looking forward to your bug reports. BTW, does this root user require 
specific Linux caps to break out of the jail? Only asking, I have no 
details yet.
 
[Stripped part that I am not going to comment again, and which is 
completely beside my point - bugs do happen, and they get corrected when 
known.]
 
> > All this hassle would have been avoided, if you had followed the common 
> > practice to notify the author and provide details.
> 
> No, the hassle would have been avoided if you did the right thing, 
instead
> of intentionally refusing to give credit where you knew it was due simply 
because
> you did not like my methods of revealing vulnerabilities in your code and
> preferred me to hold your hand and fix your code for you.

This is getting ridiculous. Do you want me to state on the RSBAC main page 
that even you reported the existence of bugs and indirectly provided some 
anonymous testing code, but rather wanted to teach me your way of coding 
than getting the bugs fixed ASAP? I am not going to add a hall of fame for 
bug reporters, you are by far not the only one.
 
> > I have ripped all code derived from the tarball I received (before your 
> > licence note, BTW) from the RSBAC tools package's contrib dir and 
uploaded 
> > the new packages.
> 
> It doesn't matter that it was taken before my license note.  The 
Copyright Act
> states that a work is copyrighted once it is created.  The lack of a 
license

The lack of evidence of the author, the lack of copyright notice and the 
lack of a license. I apologize for mistakenly using your code, because I 
thought it was provided to be of help for all RSBAC users.

> meant you had no right whatsoever to modify or redistribute the code: 
such
> permission would be granted through a license.  Though I'm not bothered 
by this,
> what I was bothered by was that you ripped the code and didn't even 
bother
> to attribute it (of course you managed to add your own name to it).  This

I did not add my name to the code, although I had contributed to it, I 
added a README file with some contact information, because there was no 
other contact available in there.

> > (Example: it is reported as a vulnerabilty, if a program can open a 
dir, 
> > chroot, and then still access the dir. What a stupid program to do 
this, 
> > but I have "fixed" that.)
> 
> What about modifying abstract unix domain sockets?  How is that not a
> vulnerability?  I will agree that the fchdir example is not really a
> vulnerability, though it does break the notion of a jail.

Right, good point. In some cases these sockets might have been useful to 
access info outside the jail. This has been fixed after spotting the bug.
 
> > - If you believe that there are still bugs in v1.2.3, PROVIDE INFO OR 
SHUT 
> > UP.
> 
> I'll shut up and leave the two remaining methods of breaking out of your 
jail

As you please.

> unfixed.  I'm sure your users are happy that you're more interested in
> attacking people that find vulnerabilities in your code than actually

Pardon? Who started attacking? Who threatened with bug reports to others, 
still not providing the details I repeatedly asked for?

> > > > fact: JAIL is not all of RSBAC - it is a convenient, but not an 
> > important 
> > > > module.
> 
> But when you claim for an individual module to provide a certain level
> of security, and it fails to provide that security, it is a 
vulnerability.

Yes. This is a bug, which has to be fixed. We are circling here. Please 
send proper bug reports.

> > Yes, JAIL can be used by itself, and it does provide jail functionality 
in 
> > the way stated in the module description. However, this does not mean 
it 
> > provides the exact functionality you personally want it to have.
> 
> Again, using your words, it doesn't provide the functionality you claim
> it to have.  And if you believe differently that I cannot access
> processes outside of the jail with your JAIL code, which your patch
> documentation claims I cannot do, set up a box and offer $2000 to someone
> to break it.

Do you understand what I write? Bugs can happen, this is software. Bugs get 
fixed when they are reported in a sufficient way. Dangerous bugs, 
specially in central and important code, lead to a bugfix for the stable 
series, if possible.

RSBAC is a free project, so feel free to contribute, but expect that there 
might be bugs, as in all software. Be responsible by sending bug reports 
to the developers and to the users on the official mailing list, which has 
been created for such purposes. If you do not send bug reports, do not 
expect unknown bugs to be fixed. It is as simple as that.

You can setup your own box, make a contest, and be happy. I have a strong 
dislike of betting and taking odd chances.
 
> > at grsecurity.net will provide some important extra information. 
> 
> Are you insinuating that this is an attempt to convert RSBAC users
> to grsecurity?  I assure you that that isn't the case.  We've had a
> somewhat amicable relationship prior to this.  This is an issue
> of honesty and ethics.  I thought that in light of the facts you
> would be willing to do the right thing, but you seem more interested
> in the public image of RSBAC than the security of it.

Brad, really: Your and my views of honesty and ethics seem to differ a lot 
in this case. I have tried to make clear that your way of "reporting" bugs 
is unacceptable for me and produces an enormous and completely unnecessary 
waste of time. I am not willing to honour you for wasting my time.

In the meantime, you insist that my code has flaws which might have been 
avoided if I had taken the time to dig through various papers or whatever. 
I have no problem with that, everyone knows that resources tend to be 
limited. All I can do is take care to make good designs and code, which do 
their jobs properly and are as secure as possible. So far, it worked out 
quite well and gave RSBAC a pretty good reputation.

To make you more happy, I have changed the JAIL line on the RSBAC title 
page to now read "JAIL improvements and bugfixes", despite the obvious 
fact that every new version has tons of bugfixes and in turn contains new 
bugs.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list