On Tue, 12 Feb 2019 at 22:13, Derek Martin <c...@pizzashack.org> wrote:
> On Fri, Feb 08, 2019 at 09:42:32AM +0000, Nick Cleaton wrote: > > > If the attacker is able to execute arbitrary system code, then they're > > already past the wall that this thing is intended to strengthen. > > Sure, but what I'm trying to point out is that there may be a variety > of ways that could happen that you're not thinking of, and that some > folks may imagine uses for this that you haven't, but which won't > actually be workable, but that won't stop them from blaming you (and > expecting you to do something about it). > That's a very good point, I need to be more clear in the docs about what this thing isn't trying to be. How do you imagine this filter program will be executed? There are a few ways. For example, if you're setting up sudo to allow an unprivileged user to run the frob command as root, and you don't expect frob to execute anything else or write any files outside /var/spool/frob or read any files outside /usr, you might set up a jailed-frob script something like: #!/bin/sh exec nsjail -Mo -R /usr -W /var/spool/frob libcallfilt denyexec /usr/bin/frob -- "$@" ... and allow users to run that via the sudoers file. So now you're protected against frob being tricked into reading or writing the wrong parts of the filesystem, or being tricked into running other commands. You can (and should) also limit the system calls available to frob via nsjail's seccomp support, but blocking execve() at the system call level is problematic because nsjail itself needs to call execve() after setting up the seccomp filters. Something like rssh that gets installed as the user's shell or something that gets installed as an ssh forced command and parses SSH_ORIGINAL_COMMAND (such as rsync's rrsync script) could use it similarly. I don't think rssh in its current form can be used with it, because as far as I can see there's no way to configure the path to the scp/rsync/etc programs that rssh will invoke.
_______________________________________________ rssh-discuss mailing list rssh-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rssh-discuss
