Date: Thu, 31 May 2001 13:22:16 +0200 From: "Jacques Bourdeau" <jacques_bourdeau@moncourrier.com> To: freebsd-security@FreeBSD.org Subject: producing an intrusion-proof FreeBSD Message-ID: <B98D2D91BA555D115A4600807CFD4B52@jacques_bourdeau.moncourrier.com>
next in thread | raw e-mail | index | archive | help
Hi, during next summer, I will work on a solution for increasing significan= tly the security of any Unix server. I wish to do that by using the CHROOT as m= uch as possible. Right now, only few daemon are ready for using Chroot themselves (named= and some FTPD). But even them do not gain a lot of security because they la= unch the CHROOT themsleves. So if a bug is found in them (as its always the = case if an intrusion occur), the bad guy have a much larger chance to go out= of the CHROOT. What I try to do is to build a sub-system jail, containing the minimum = tools and functions (like RBASH as the only shell, no telnet client... ), over a = partition mounted with nosuid,nodev, etc, etc, and launching daemons from the jai= l. If the deamon can do a second CHROOT by itself, I also use it. The best wo= uld be to have no listening daemons running outside of the jail. After that, someone doing an intrusion against the system would not be = able to do anything over personnal datas, or to re-use the computer for attacki= ng another one on Internet (he will not have telnet / ftp or anything else availab= le). Because the CHROOT was done by a previous process (which do not exist a= nymore in process list), going out of the CHROOT will be MUCH more difficult. = Indeed, only a bug in the kernel could go out. I already built a small jail and run named in 2 level of CHROOT as well= as FTPD. I wish to add all others : SSH, inetd .. ... .... I'm doing that with shells scripts because I'm a poor progammers with C= or others languages. So, if FreeBSD is interested, just explain me how to transform this in = a complete project for FreeBSD community. Jacques Bourdeau (my mail address will change in 2 months when I will go back in Canada,= so do not distribute it right now if you wish to add the project in your list...)= -- Obtenez vous aussi votre adresse =E9lectronique gratuite MonCourrier.com (http://www.moncourrier.com), un service du R=E9seau BRANCHEZ-VOUS! (http://www.branchez-vous.com), le meilleur d'Internet. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B98D2D91BA555D115A4600807CFD4B52>