[ubuntu-hardened] Ideas outside the SELinux box

Jeff Schroeder jeffschroed at gmail.com
Thu Feb 14 22:03:20 GMT 2008

Me And You wrote:
> -Running high risk desktop applications as another user.
>  Namely Firefox. In the last few months (and before that), we've seen
> a slew of vulns for ff. Most of them could be negated with the
> NoScript extension, but not everyone is going to use that. So I
> suggest running ff as a user other than the default desktop user. The
> reason for this is simple: the typical desktop user has everything of
> value to them under that user. If someone exploits firefox and is able
> to read/modify everything that the default user owns, well that's damn
> near everything that's important. We could make a shared "download"
> directory or some such for accessing files and so forth. I don't think
> this will be default, but having the option (something like apt-get
> install ff-secure) would be nice.
And if there is a local user priv escalation bug in the Linux kernel then
the attacker uses Firefox running as the other user to get root. If we drew
an attack tree of your model, it falls down there. Firefox should be confined
using Mandatory Access Control such as SELinux and/or AppArmor by default.
That is a much better solution and is certainly a goal for the future.

> -Jailed server packages
>  I don't know about anyone else, but I think jailing applications is a
> pain in the ass. Yeah, it's great to know how to do it, but I want
> computers to work for *me*, not the other way around. In my sad little
> Ubuntu server dreams I'm imaging something like this: apt-get install
> lamp-jailed. Wouldn't that be great?
Do you mean chrooting applications? "jailing" is a BSD-ism. This would be
nice to see.

> -Firewall setup during install
>  I think I read this is planned for Hardy, but if it isn't it needs to
> be. We've got iptables sitting there doing nothing on default install,
> that's just bad planning and design.
https://wiki.ubuntu.com/UbuntuFirewall This will be in Hardy

> -Tightening the system up
>  Maybe something like a Bastille config by default? I don't know, but
> things like the default user (first user) being able to read all the
> log files and such just doesn't sit well with me. Maybe I'm over
> paranoid, but I like my shiny hat thank you.
I wrote a script awhile ago to do this. It needs a teeny bit of work to
properly remove shells from system users on gutsy+ but is a good start.

> Thoughts/critiques?
You have some good ideas. Keep on submitting them along with code if you
have the time.

Jeff Schroeder
Don't drink and derive alcohol and analyis don't mix

More information about the ubuntu-hardened mailing list