[rsbac] Re: rsbac 1.2.3

[Amon Ott]

On Dienstag, 29. Juni 2004 18:49, spender at grsecurity.net wrote:
> > I am looking forward to your bug reports. BTW, does this root user 
require 
> > specific Linux caps to break out of the jail? Only asking, I have no 
> > details yet.
> 
> No capabilities are required.  The one method you've already solved in 
> one way but don't realize/know that there are multiple ways to perform 
> the same filesystem actions.

Thank you for the details, which you also gave me off-list. I acknowledge 
that you really did find vulnerabilities, the consequence of which was 
difficult for me to see without having any details.

I will fix those bugs that I can find and make an official bugfix 
announcement on this list, and certainly I will give you due credit in the 
description.
 
> > Right, good point. In some cases these sockets might have been useful 
to 
> > access info outside the jail. This has been fixed after spotting the 
bug.
> 
> Not only access, but inject arbitrary data into the stream, possibly 
> causing a compromise of the application outside the jail, depending on 
> its implementation.

This is a consequence which was not clear to me when finally finding the 
bug.
 
> I guess my problem is that you choose not to differentiate between bugs 
> and vulnerabilities.  As a security conscious user, I would be very 
> afraid of that.  I believe that using 'bug' dilutes the importance of 
> the matter and better describes some harmless thing in an interface 
> where a user couldn't select a certain option, or something of the sort.  
> I just don't think that most people, when they hear that there were 
> bugfixes in a certain release will immediately think "fixed exploitable 
> vulnerabilities."  So I think the best thing for users, to urge them to
> update to these newer releases, is to call a bug a vulnerability if it 
> is so, like in this case.  But if your definition of bug is a 
> vulnerability, then that's fine.  I just think it's confusing and 
> misleading to the users.

The general term in RSBAC has always been "bug", but there can be various 
levels of severity. My estimation of the severity of these bugs was 
different from yours, because I thought that it would require a lot of 
extra knowledge to compromize a process outside the jail, which cannot 
easily be seen in the first place. From previous bugfix announcements you 
can see that I generally ask people to apply the fix ASAP, if I believe 
the bug to be dangerous.

You have a point that people might have used version 1.2.2 JAIL module 
without other modules, what leaves the system less protected than it 
should be. My personal view of "good RSBAC practice" with additional RC 
model encapsulation is probably not general practice.

We should settle the discussion here. I have stated before that I believe 
you are doing great work on GRSecurity, and I never doubted your skill and 
knowledge. It was only the way things happened that made me (and you) 
angry.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: signature
URL         : http://www.rsbac.org/pipermail/rsbac/attachments/20040630/ae4f49e9/attachment.bin