Using capabilties aaginst shell code

[dps () IO STARGATE CO UK (Duncan Simpson)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



The development of capabilities with Linux (and some section of POSIX, if the
header is to be believed) creates an opportunity for tightening security by
sandboxing daemons---imapd and popd have no legitimate use for various system
calls, for example. In particular exec is fundamental to most buffer overrun
shellcode and not required by many daemons.

I have a preliminary patch against Linux 2.1.115 that adds CAP_SYS_EXEC and
denies exec to anynone without this capability (the first test in the
function). The idea behind this hack is the daemon, without the need for
privileges, can drop the CAP_SYS_EXEC and force crackers to write new
shellcode that sets up hosts.equiv or rhosts instead of the standard
technique. It is easier to track down rsh that attempting to guess which of
the "normal" connections (i.e. services one expects people to use) was the
cracker.

This takes modifications to not wipe out CAP_SYS_EXEC when the other
capabilities are killed. Various buggy versions convince me the patch is
effective (now you can log in without the shell lacking CAP_SYS_EXEC).

Any comments?

- --
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBNdH8Kkekq+3VXI08EQKNxwCg0ugEneRkAyKHJiPhHh4n7CkK99gAn3c+
hmsFXJyxkwL9++nFIW+XPlrI
=GYpO
-----END PGP SIGNATURE-----