[rsbac] questions..

Amon Ott ao at rsbac.org
Wed May 25 09:34:03 CEST 2005 

Hi folks,

I am back from my holidays and now working through tons of mails.

On Montag 09 Mai 2005 11:37, Michal Purzynski wrote:
> On 9 maj, 2005, at 10:28, Andrea Pasquinucci wrote:
> 
> > Sorry for a few other dumb questions:
> >
> > 1. Does it make sense to build a kernel with the following 
modules:
> >      PAX, RES, CAP, DAZ, FF (JAIL ?)
> > notice that AUTH is missing
> >
> AUTH should be mandatory as it makes sure nobody can forge uids and 
> gids. Without it attacker gaining root could easily bypass 
protection 
> by switching to security officer uid and do whatever he like.

It only makes sense to run without AUTH module, if you disabled all 
administration - either with rsbac_freeze option or by simply 
removing all administrator roles of all users.

> > 2. for RES, I guess that most dimensions are Bytes even if it is 
not
> > written in the help
> >
> >   'fsize' "Size limit for each file."
> >   'memlock' "Limit on locked-in-memory address space."
> >   'as' "Address space (virtual memory) limit."
> >
> > whereas
> >
> >   'data' "Process data segment size limit in bytes."
> >   'stack' "Process stack size limit in bytes."
> >   'core' "Core dump size limit in bytes."
> >   'rss' "Max resident set size in bytes."
> As i remember they are in bytes, right.

Should be all in bytes. I simply copied the descriptions from the 
kernel header file capabilities.h.
 
> > 3. About JAIL, Amon says often to use JAIL without chroot to 
protect
> > users when using for example firefox/mozilla ecc. Is it possible 
to set
> > this by using attr_set_fd (or similar), or one must start the 
program
> > with rsbac_jail ? Is this in case a new feature which could be 
added?
> 
> Just use rsbac_jail with necesary switches, that's the only way to 
put 
> program into jail.
> It could be rather tricky to implement with attr_set_fd this way, 
but 
> here only Amon can answer correctly. It would require some way to 
first 
> setting up jail adn than assigning it to application.

This has been thought about before, see to-do item in the "Later" 
section:
(Maybe) add jail flags and IP FD attributes to force a jail for a 
program without chroot.

It is possible, and it would be useful in some cases. Never seen as 
urgent, though.
 
> > Moreover, what will happen if I would run firefox under jail with 
no
> > chroot? for example, could I still use plugins or helpers (like 
xpdf,
> > realplay, mplayer ecc. ?
> 
> Plugins should be working without problem, in case some JAIL is very 
> configurable.

I have been running Mozilla in a Jail for months now, it works fine - 
if you enable rlimits and IPC access outside the jail for KDE 
integration.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde abgetrennt...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: nicht verf?gbar
URL         : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050525/e23f95cd/attachment.bin

More information about the rsbac mailing list