[rsbac] Re: rsbac 1.2.3
Amon Ott
ao at rsbac.org
Tue Jun 29 18:31:52 CEST 2004
On Dienstag, 29. Juni 2004 16:35, spender at grsecurity.net wrote:
> > "Them" seems to be Albeiro, who already answered himself. Since I never
> > have been personally notified by you and never saw these instructions,
I
> > will not answer to them.
>
> So because I didn't tell you directly, but made all information public
> (it was even posted to the grsecurity forums), you refuse to give
> credit to the person that actually found these vulnerabilities for you,
> when you knew this is where the information and code came from?
Sorry for being too ignorant to read GRSecurity forums when looking for
RSBAC bug reports. OTOH, you have been quite as ignorant by missing the
fact that I indeed have given you credit on the running RSBAC to-do list
at http://zhware.ath.cx/cgi-bin/oswiki.cgi/RsbacTodo. You should have
found that before. X-)
> BTW it is clear that you simply ran my regression tests and fixed only
> the things that said failed, without even investigating your code
further.
> I just downloaded RSBAC 1.2.3 an hour or so ago and with a modified test
> was able to confirm that two vulnerabilities still exist within your
> JAIL code that allow a root user to break out of the jail completely.
I am looking forward to your bug reports. BTW, does this root user require
specific Linux caps to break out of the jail? Only asking, I have no
details yet.
[Stripped part that I am not going to comment again, and which is
completely beside my point - bugs do happen, and they get corrected when
known.]
> > All this hassle would have been avoided, if you had followed the common
> > practice to notify the author and provide details.
>
> No, the hassle would have been avoided if you did the right thing,
instead
> of intentionally refusing to give credit where you knew it was due simply
because
> you did not like my methods of revealing vulnerabilities in your code and
> preferred me to hold your hand and fix your code for you.
This is getting ridiculous. Do you want me to state on the RSBAC main page
that even you reported the existence of bugs and indirectly provided some
anonymous testing code, but rather wanted to teach me your way of coding
than getting the bugs fixed ASAP? I am not going to add a hall of fame for
bug reporters, you are by far not the only one.
> > I have ripped all code derived from the tarball I received (before your
> > licence note, BTW) from the RSBAC tools package's contrib dir and
uploaded
> > the new packages.
>
> It doesn't matter that it was taken before my license note. The
Copyright Act
> states that a work is copyrighted once it is created. The lack of a
license
The lack of evidence of the author, the lack of copyright notice and the
lack of a license. I apologize for mistakenly using your code, because I
thought it was provided to be of help for all RSBAC users.
> meant you had no right whatsoever to modify or redistribute the code:
such
> permission would be granted through a license. Though I'm not bothered
by this,
> what I was bothered by was that you ripped the code and didn't even
bother
> to attribute it (of course you managed to add your own name to it). This
I did not add my name to the code, although I had contributed to it, I
added a README file with some contact information, because there was no
other contact available in there.
> > (Example: it is reported as a vulnerabilty, if a program can open a
dir,
> > chroot, and then still access the dir. What a stupid program to do
this,
> > but I have "fixed" that.)
>
> What about modifying abstract unix domain sockets? How is that not a
> vulnerability? I will agree that the fchdir example is not really a
> vulnerability, though it does break the notion of a jail.
Right, good point. In some cases these sockets might have been useful to
access info outside the jail. This has been fixed after spotting the bug.
> > - If you believe that there are still bugs in v1.2.3, PROVIDE INFO OR
SHUT
> > UP.
>
> I'll shut up and leave the two remaining methods of breaking out of your
jail
As you please.
> unfixed. I'm sure your users are happy that you're more interested in
> attacking people that find vulnerabilities in your code than actually
Pardon? Who started attacking? Who threatened with bug reports to others,
still not providing the details I repeatedly asked for?
> > > > fact: JAIL is not all of RSBAC - it is a convenient, but not an
> > important
> > > > module.
>
> But when you claim for an individual module to provide a certain level
> of security, and it fails to provide that security, it is a
vulnerability.
Yes. This is a bug, which has to be fixed. We are circling here. Please
send proper bug reports.
> > Yes, JAIL can be used by itself, and it does provide jail functionality
in
> > the way stated in the module description. However, this does not mean
it
> > provides the exact functionality you personally want it to have.
>
> Again, using your words, it doesn't provide the functionality you claim
> it to have. And if you believe differently that I cannot access
> processes outside of the jail with your JAIL code, which your patch
> documentation claims I cannot do, set up a box and offer $2000 to someone
> to break it.
Do you understand what I write? Bugs can happen, this is software. Bugs get
fixed when they are reported in a sufficient way. Dangerous bugs,
specially in central and important code, lead to a bugfix for the stable
series, if possible.
RSBAC is a free project, so feel free to contribute, but expect that there
might be bugs, as in all software. Be responsible by sending bug reports
to the developers and to the users on the official mailing list, which has
been created for such purposes. If you do not send bug reports, do not
expect unknown bugs to be fixed. It is as simple as that.
You can setup your own box, make a contest, and be happy. I have a strong
dislike of betting and taking odd chances.
> > at grsecurity.net will provide some important extra information.
>
> Are you insinuating that this is an attempt to convert RSBAC users
> to grsecurity? I assure you that that isn't the case. We've had a
> somewhat amicable relationship prior to this. This is an issue
> of honesty and ethics. I thought that in light of the facts you
> would be willing to do the right thing, but you seem more interested
> in the public image of RSBAC than the security of it.
Brad, really: Your and my views of honesty and ethics seem to differ a lot
in this case. I have tried to make clear that your way of "reporting" bugs
is unacceptable for me and produces an enormous and completely unnecessary
waste of time. I am not willing to honour you for wasting my time.
In the meantime, you insist that my code has flaws which might have been
avoided if I had taken the time to dig through various papers or whatever.
I have no problem with that, everyone knows that resources tend to be
limited. All I can do is take care to make good designs and code, which do
their jobs properly and are as secure as possible. So far, it worked out
quite well and gave RSBAC a pretty good reputation.
To make you more happy, I have changed the JAIL line on the RSBAC title
page to now read "JAIL improvements and bugfixes", despite the obvious
fact that every new version has tons of bugfixes and in turn contains new
bugs.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list