[ubuntu-hardened] Ideas outside the SELinux box
Jeff Schroeder
jeffschroed at gmail.com
Fri Feb 15 00:57:46 GMT 2008
Me And You wrote:
> On Thu, Feb 14, 2008 at 2:03 PM, Jeff Schroeder <jeffschroed at gmail.com> wrote:
>> Me And You wrote:
>> ...
>>
>>> -Running high risk desktop applications as another user.
>> > Namely Firefox. In the last few months (and before that), we've seen
>> > a slew of vulns for ff. Most of them could be negated with the
>> > NoScript extension, but not everyone is going to use that. So I
>> > suggest running ff as a user other than the default desktop user. The
>> > reason for this is simple: the typical desktop user has everything of
>> > value to them under that user. If someone exploits firefox and is able
>> > to read/modify everything that the default user owns, well that's damn
>> > near everything that's important. We could make a shared "download"
>> > directory or some such for accessing files and so forth. I don't think
>> > this will be default, but having the option (something like apt-get
>> > install ff-secure) would be nice.
>> And if there is a local user priv escalation bug in the Linux kernel then
>> the attacker uses Firefox running as the other user to get root. If we drew
>> an attack tree of your model, it falls down there. Firefox should be confined
>> using Mandatory Access Control such as SELinux and/or AppArmor by default.
>> That is a much better solution and is certainly a goal for the future.
>>
>
> I agree, but I don't know how soon SELinux will be implemented by
> default. I suppose the likely hood of this idea being implemented by
> default sooner is just as likely, but I thought of this as an
> "inbetween" kind of solution (inbetween now and SELinux integration).
Thats why I said, "SELinux and/or AppArmor". Ubuntu ships AppArmor in enforcing
mode by default. Even though AppArmor is easy to circumvent with something like
cp `which firefox` firefox.exploitme; ./firefox.exploitme
For this reason (path based vs label based security) SELinux is a more difficult
to subvert solution. AppArmour would still be more security than it is now.
> I'll check out that script as soon as I get time, should it work
> across Feisty and Gusty? (some things have changed in gusty from what
> I've seen).
Let me look at it tonight and I'll update it to work on gutsy. The apt
stuff should be removed entirely.
---
Jeff Schroeder
More information about the ubuntu-hardened
mailing list