Firewall Wizards mailing list archives
Re: Custom Unix server installations -- to harden extensively ?
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 14 May 2003 21:23:48 -0400
Carson Gaspar wrote:
I seem to be in the minority here, but I firmly believe that the costs of maintaining a stripped down build exceed the security gains achieved by removing binaries.
I agree that stripping a box is not valuable, but for different reasons. If what you want to accomplish is a minimized secure UNIX kernel with a small applications base, build one from the ground up. The NFR CDROM boot code I did took me only 4 days to build, and it included 1) my own version of init(1) that mounted filesystems, invoked fsck, then setuid'd to a non-privileged user 2) my own kernel that allowed some normally privileged system calls to be executed by that user-id alone 3) my application The init(1) disk partitioning process was creative. And goes as follows: a) booted off el torito mini-disk on CDROM b) root filesystem is a minimized memory root with: newfs fsck disklabel init (of course) c) init calls disklabel on scsi disk 0. if the disk label matches an expected layout we know the disk is already correctly partitioned root=sd0 GOTO f d) init calls disklabel on ide disk 0. if the disk label matches an expected layout we know the disk is already correctly partitioned root=wd0 GOTO f e) init has no correctly set up disks. but it knows if it has an sd0 or wd0. prompt the user for permission to partition the disk confirm permission partition the disk with specific layout call newfs to set up root filesystem root=<whatever disk> f) fsck root disk g) mount root disk directly using system calls (no /etc/fstab needed) h) chroot to root disk (now in /) i) setuid to non-root userid j) run application starter program fork apps wait update screen with status every 3 seconds using curses yes, my version of init had curses built in, but used a static TERMCAP entry compiled into the code. :) It's actually easier to build your own environment from the ground up, if you want a secure system. I.e.: better to start with raw silk than sow's ears, if you're trying to make silk purses. Where people have problems is when they want heavy apps to run on it - things that expect a passwd file, user-ids, etc, etc, etc. But it's surprisingly easy to hack those programs to hardcode uids, etc. You'd be amazed at the number of UNIX apps that crash and burn when they don't have the zillions of files of cr*p that most UNIX systems come with. I swear it's worse than Windows... Anyhow, it's not a hard problem - trying to actually nail down all the nonsense is hard. mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Custom Unix server installations -- to harden extensively ? Julian Gomez (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Paul Robertson (May 13)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Julian Gomez (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 14)
- RE: Custom Unix server installations -- to harden extensively ? Ben Nagy (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Carson Gaspar (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Bill Royds (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Marcus J. Ranum (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Matthew Kirkwood (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Crispin Cowan (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Mason Schmitt (May 15)
- <Possible follow-ups>
- RE: Custom Unix server installations -- to harden extensively ? salgak (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 16)
- RE: Custom Unix server installations -- to harden extensively ? R. DuFresne (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)