You've got to be kidding. `Lets trust a website to not be hijacked and give
us a list of no insecure modules at runtime...' .. best case.
And what about running it offline?
This is not about having a program disable bad pieces on its own honor.
This is about making things secure by default, and allowing worst case
scenarios of an unprivileged user which has no permissions in a chroot jail
have a look around an empty directory structure.
Ever hear of privilege separation?
See Xorg, bgpd, dhclient, sshd, ospfd, syslogd, httpd, isakmpd, named,
xconsole, pflogd, ftpd, and I'm sure others I've missed that ship by default
privilege separated, where a very small set of code does very well defined
actions as root, and then lets a forked (different process/signal/etc space)
child that is chroot'ed and unprivileged do any `complicated' and `unverified'
behavior. Oh, and lets not forget tcpdump which under OpenBSD no longer runs
as root during its packet inspection routines...
A few examples:
todd@blue/pd 636$ ps auwx | egrep "syslog[d]|pflog[d]|X[o]rg|xc[o]nsole|is[a]kmpd|n[a]med|d[h]client"
root 13277 0.0 0.1 136 496 ?? Is 10:17PM 0:00.01 syslogd: [priv] (syslogd)
_syslogd 5537 0.0 0.1 164 508 ?? S 10:17PM 0:00.15 syslogd -a /var/empty/dev/log
root 12984 0.0 0.0 384 336 ?? Is 10:17PM 0:00.00 pflogd: [priv] (pflogd)
_pflogd 6653 0.0 0.0 440 248 ?? S 10:17PM 0:00.40 pflogd: [running] -s 116 -f /var/log/pflog (pflogd)
root 16479 0.0 0.1 1500 384 ?? I 10:18PM 0:00.00 X: [priv] (Xorg)
root 5061 0.0 0.1 104 616 ?? I 10:18PM 0:00.00 xconsole: [priv] (xconsole)
_x11 18458 0.0 0.2 288 1868 ?? I 10:18PM 0:00.03 xconsole
_dhcp 31134 0.0 0.0 436 168 ?? Is 10:35PM 0:00.00 dhclient: bce0 (dhclient)
root 21213 0.0 0.0 996 308 ?? Is 10:42PM 0:00.01 isakmpd: monitor [priv] (isakmpd)
_isakmpd 29984 0.0 0.4 2960 2816 ?? S 10:42PM 0:01.43 /sbin/isakmpd
root 5179 0.0 0.1 1220 568 ?? Is 10:43PM 0:00.00 named: [priv] (named)
named 20524 0.0 0.5 3012 3548 ?? I 10:43PM 0:01.57 /usr/sbin/named
root 11645 0.0 0.0 392 224 C1 I 10:35PM 0:00.00 dhclient: bce0 [priv] (dhclient)
todd@blue/pd 637$
Perhaps you'll note the unprivileged children run with userids OpenBSD assigns
as starting with an underscore. This makes the list of programs easy to
determine:
todd@blue/pd 637$ egrep "^_" /etc/passwd
_portmap:*:28:28:portmap:/var/empty:/sbin/nologin
_identd:*:29:29:identd:/var/empty:/sbin/nologin
_rstatd:*:30:30:rpc.rstatd:/var/empty:/sbin/nologin
_rusersd:*:32:32:rpc.rusersd:/var/empty:/sbin/nologin
_fingerd:*:33:33:fingerd:/var/empty:/sbin/nologin
_x11:*:35:35:X Server:/var/empty:/sbin/nologin
_kdc:*:59:59:Kerberos Server:/var/empty:/sbin/nologin
_kadmin:*:60:60:Kerberos Admin Server:/var/empty:/sbin/nologin
_spamd:*:62:62:Spam Daemon:/var/empty:/sbin/nologin
_isakmpd:*:68:68:isakmpd privsep:/var/empty:/sbin/nologin
_syslogd:*:73:73:Syslog Daemon:/var/empty:/sbin/nologin
_pflogd:*:74:74:pflogd privsep:/var/empty:/sbin/nologin
_bgpd:*:75:75:BGP Daemon:/var/empty:/sbin/nologin
_tcpdump:*:76:76:tcpdump privsep:/var/empty:/sbin/nologin
_dhcp:*:77:77:DHCP programs:/var/empty:/sbin/nologin
_mopd:*:78:78:MOP Daemon:/var/empty:/sbin/nologin
_tftpd:*:79:79:TFTP Daemon:/var/empty:/sbin/nologin
_rbootd:*:80:80:rbootd Daemon:/var/empty:/sbin/nologin
_afs:*:81:81:afs Daemon:/var/empty:/sbin/nologin
_ppp:*:82:82:PPP utilities:/var/empty:/sbin/nologin
_ntp:*:83:83:NTP Daemon:/var/empty:/sbin/nologin
_cvsd:*:104:104:CVS Daemon:/var/empty:/sbin/nologin
_spamdaemon:*:506:506::/nonexistent/_spamdaemon:/usr/bin/false
_ftp:*:84:84:FTP Daemon:/var/empty:/sbin/nologin
_postgresql:*:503:503:PostgreSQL Manager:/var/postgresql:/bin/sh
_dovecot:*:518:518:Dovecot Account:/nonexistent:/sbin/nologin
_privoxy:*:516:516:Privoxy Account:/nonexistent:/sbin/nologin
todd@blue/pd 638$
(and yes, we do allocate users for ports packages as well).
If you dare to implement such a thing in ethereal, you might find that bsd
people are more acceptive of software that at least doesn't run
bad-track-record code as root. Of course, this does not exclude the
need for working on issues if found to be exploitable time after time
either...
My personal $.02 ...
--
Todd Fries .. todd@xxxxxxxxx
_____________________________________________
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| "..in support of free software solutions." \ 1.700.227.9094 (IAXTEL)
| \ 250797 (FWD)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
Penned by Stephen Samuel (leave the email alone) on Fri, Feb 11, 2005 at 05:55:51PM -0800, we have:
| It sounds like a good idea, although it should always be optional
| ( I.E. 'Just this once, | Always | Always Ask Me | Never' )
|
| Given how ethereal is used, you can't always trust the network
| you're on to be usable (or even trusted).
|
| I'm guessing that you'd also have to have/add versioning to the
| data stored about dissectors.
|
| Gerald Combs wrote:
| > We can currently keep global and per-user lists of disabled protocols.
| > Could we use that as a basis for {en|dis}abling protocols according to
| > their level of trust?
| >
| > Also, would it be helpful to have Ethereal fetch a list of known bad
| > dissectors via the web at startup and give the user the option of
| > disabling them, similar to the security check Firefox performs at startup?
| >
| > Gilbert Ramirez wrote:
| >
| >>No, not defeatist, just realist, considering the current method of
| >>Ethereal development. But when I wrote that I didn't realize that the
| >>suggestion was a formal code auditing procedure. I agree; with that in
| >>effect, the categories would be "audited" and "not-yet-audited", which
| >>is more useful.
|
|
| --
| Stephen Samuel +1(604)876-0426 samnospam@xxxxxxxxxxx
| http://www.bcgreen.com/
| Powerful committed communication. Transformation touching
| the jewel within each person and bringing it to light.
|
