On Mon, Oct 21, 2013 at 9:59 PM, Dave Taht <[email protected]> wrote: > > One of my big bugaboos is privilege separation. The squashfs filesystem > supports nothing more than uid 0, and most processes run as root, which > is just pain wrong... I'd like the front end web server to be running > as a very restricted user in particular and using fastcgi to be talking > to the config....
Hmm, interesting. So this is why using su -c to run a service as another user has permission issues. I assume sudo -u still retains some root privledges, which is why it works. (Ran into this issue when configuring my IRC bouncer, Miau) With such limited space on the flash, I understand the reasoning for using squashfs. Not sure of any alternatives. Although there is the possibility of chainloading a distribution off USB stick. There's a debian-mips guide for doing that here: ( https://wiki.debian.org/InstallingDebianOn/D-Link/DIR-825 ) though the complexity involved in doing something similar with openwrt/cerowrt would be extensive. > > DNSCrypt-proxy[...] > > I can make it available as an optional package in ceropackages. patches > gladly accepted. That would be great! I still can't figure out how to get the imagebuilder or SDK working, but perhaps I'll give it another try sometime. Openwrt is still a bit foreign to me since I used to work on tomato-based forks. The wiki documentation on openwrt and cerowrt are both very old and seem assume a certain level of prior-knowledge to the inner workings of the distribution. > > sysctl.conf network hardening: > > > > source address verification to protect against IP spoofing > > net.ipv4.conf.default.rp_filter=1 > > net.ipv4.conf.all.rp_filter=1 > I was actually under the impression these two were set by default these days. I only mentioned the ones I saw that weren't enabled by default in cerowrt, and this is not (on 3.7.5). > > IPv6 Privacy Extensions (RFC 4941) ( http://tools.ietf.org/html/rfc4941 ) > > net.ipv6.conf.all.use_tempaddr = 2 > > net.ipv6.conf.default.use_tempaddr = 2 > It makes me nervous to think my core dns server is going to hang > off some dns address I can't remember either. Yeah I was wondering if some random address might screw that up. >> Symlink Protection: >> fs.protected_hardlinks = 1 >> fs.protected_symlinks = 1 > > Well I'm not sure if this is a real problem or not. I'd certainly like a > security minded individual to try out the attacks outlined here: > > http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp > > The successful ones were mostly an exploit via symlink against samba. > Interesting read. Seems like a lot of those were samba and improper file permissions (which a better filesystem than squashfs might help solve?) _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
