[rsbac] questions..
Amon Ott
ao at rsbac.org
Wed May 25 09:34:03 CEST 2005
Hi folks,
I am back from my holidays and now working through tons of mails.
On Montag 09 Mai 2005 11:37, Michal Purzynski wrote:
> On 9 maj, 2005, at 10:28, Andrea Pasquinucci wrote:
>
> > Sorry for a few other dumb questions:
> >
> > 1. Does it make sense to build a kernel with the following
modules:
> > PAX, RES, CAP, DAZ, FF (JAIL ?)
> > notice that AUTH is missing
> >
> AUTH should be mandatory as it makes sure nobody can forge uids and
> gids. Without it attacker gaining root could easily bypass
protection
> by switching to security officer uid and do whatever he like.
It only makes sense to run without AUTH module, if you disabled all
administration - either with rsbac_freeze option or by simply
removing all administrator roles of all users.
> > 2. for RES, I guess that most dimensions are Bytes even if it is
not
> > written in the help
> >
> > 'fsize' "Size limit for each file."
> > 'memlock' "Limit on locked-in-memory address space."
> > 'as' "Address space (virtual memory) limit."
> >
> > whereas
> >
> > 'data' "Process data segment size limit in bytes."
> > 'stack' "Process stack size limit in bytes."
> > 'core' "Core dump size limit in bytes."
> > 'rss' "Max resident set size in bytes."
> As i remember they are in bytes, right.
Should be all in bytes. I simply copied the descriptions from the
kernel header file capabilities.h.
> > 3. About JAIL, Amon says often to use JAIL without chroot to
protect
> > users when using for example firefox/mozilla ecc. Is it possible
to set
> > this by using attr_set_fd (or similar), or one must start the
program
> > with rsbac_jail ? Is this in case a new feature which could be
added?
>
> Just use rsbac_jail with necesary switches, that's the only way to
put
> program into jail.
> It could be rather tricky to implement with attr_set_fd this way,
but
> here only Amon can answer correctly. It would require some way to
first
> setting up jail adn than assigning it to application.
This has been thought about before, see to-do item in the "Later"
section:
(Maybe) add jail flags and IP FD attributes to force a jail for a
program without chroot.
It is possible, and it would be useful in some cases. Never seen as
urgent, though.
> > Moreover, what will happen if I would run firefox under jail with
no
> > chroot? for example, could I still use plugins or helpers (like
xpdf,
> > realplay, mplayer ecc. ?
>
> Plugins should be working without problem, in case some JAIL is very
> configurable.
I have been running Mozilla in a Jail for months now, it works fine -
if you enable rlimits and IPC access outside the jail for KDE
integration.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde abgetrennt...
Dateiname : nicht verf?gbar
Dateityp : application/pgp-signature
Dateigr??e : 189 bytes
Beschreibung: nicht verf?gbar
URL : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050525/e23f95cd/attachment.bin
More information about the rsbac
mailing list