Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Custom Unix server installations -- to harden extensively ?

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 14 May 2003 21:23:48 -0400
Carson Gaspar wrote:

I seem to be in the minority here, but I firmly believe that the costs of maintaining a stripped down build exceed the 
security gains achieved by removing binaries.


I agree that stripping a box is not valuable, but for different reasons.
If what you want to accomplish is a minimized secure UNIX kernel with
a small applications base, build one from the ground up. The NFR
CDROM boot code I did took me only 4 days to build, and it included
1) my own version of init(1) that mounted filesystems, invoked fsck,
        then setuid'd to a non-privileged user
2) my own kernel that allowed some normally privileged system calls
        to be executed by that user-id alone
3) my application

The init(1) disk partitioning process was creative. And goes as follows:
a) booted off el torito mini-disk on CDROM
b) root filesystem is a minimized memory root with:
        newfs
        fsck
        disklabel
        init (of course)
c) init calls disklabel on scsi disk 0. if the disk label matches an expected
        layout we know the disk is already correctly partitioned root=sd0 GOTO f
d) init calls disklabel on ide disk 0. if the disk label matches an expected
        layout we know the disk is already correctly partitioned root=wd0 GOTO f
e) init has no correctly set up disks. but it knows if it has an sd0 or wd0.
        prompt the user for permission to partition the disk
        confirm permission
        partition the disk with specific layout
        call newfs to set up root filesystem
        root=<whatever disk>
f) fsck root disk
g) mount root disk directly using system calls (no /etc/fstab needed)
h) chroot to root disk (now in /)
i) setuid to non-root userid
j) run application starter program
        fork apps
        wait
        update screen with status every 3 seconds using curses

yes, my version of init had curses built in, but used a static TERMCAP
entry compiled into the code. :)

It's actually easier to build your own environment from the ground
up, if you want a secure system. I.e.: better to start with raw
silk than sow's ears, if you're trying to make silk purses.

Where people have problems is when they want heavy apps to run
on it - things that expect a passwd file, user-ids, etc, etc, etc. But
it's surprisingly easy to hack those programs to hardcode uids, etc.
You'd be amazed at the number of UNIX apps that crash and burn
when they don't have the zillions of files of cr*p that most UNIX
systems come with. I swear it's worse than Windows...  Anyhow,
it's not a hard problem - trying to actually nail down all the nonsense
is hard.

mjr. 
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: