OpenBSD security could be tightened up easily

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD security could be tightened up easily

dfeustel
OpenBSD's handling of file permissions needs work.

Good security practice requires that root's default permission
set by umask should be 077. But setting root's umask to this
value breaks the package install mechanism since all files
installed by root with umask 077 are unavailable to users.

Also, all x11 and kde sockets are created with permissions up to and
including 777 that can be restricted with no loss of functionality. I now
routinely chmod all sockets in /tmp and $TMPDIR to 600 immediately
upon starting up kde and have seen no errors generated by this.

The problem with insecure [tp]ty allocation in kde is still not fixed
as far as I know, although I see a new kdelibs in errata.
(this problem occurs only in OpenBSD so far as I know),

It might also be a good idea to run pf by default with the
rule "block all in" to prevent intruders taking advantage of undiagnosed
security problems in kde or x11.  ALL of my strange problems with kde
have ceased since I started running pf with this rule.

Having said this, I would like to add that OpenBSD looks better
than ever to me now and I recommend it highly to people I talk to.
OpenBSD is the Rock upon which I build everything else.

Dave Feustel
--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD security could be tightened up easily

Ted Unangst-2
On 2/5/06, Dave Feustel <[hidden email]> wrote:
> Also, all x11 and kde sockets are created with permissions up to and
> including 777 that can be restricted with no loss of functionality. I now

and how are other users going to connect to the socket then?

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD security could be tightened up easily

dfeustel
On Tuesday 07 February 2006 13:16, Ted Unangst wrote:
> On 2/5/06, Dave Feustel <[hidden email]> wrote:
> > Also, all x11 and kde sockets are created with permissions up to and
> > including 777 that can be restricted with no loss of functionality. I now
>
> and how are other users going to connect to the socket then?
>
Since all six x11/kde sockets that I chmod to 600 have me as the owner,
I assume that no one else should be connecting to those sockets.
--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD security could be tightened up easily

Matthew Weigel
Dave Feustel wrote:

> Since all six x11/kde sockets that I chmod to 600 have me as the owner,
> I assume that no one else should be connecting to those sockets.

Since you didn't get it before, I'm doubtful that you'll get it now...
but X has an authentication mechanism for *things written to the socket*
  so that being able to write to the socket is not, by itself, a
security problem.

It's in the same ballpark, in terms of risk, with anyone being able to
connect to your sshd's TCP/IP socket and write data to it, except they
have to already have access to your filesystem.
--
  Matthew Weigel
  hacker
  [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD security could be tightened up easily

Ted Unangst-2
In reply to this post by dfeustel
On 2/7/06, Dave Feustel <[hidden email]> wrote:

> Since all six x11/kde sockets that I chmod to 600 have me as the owner,
> I assume that no one else should be connecting to those sockets.

that's not true in general.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD security could be tightened up easily

Otto Moerbeek
In reply to this post by dfeustel
On Tue, 7 Feb 2006, Dave Feustel wrote:

> On Tuesday 07 February 2006 13:16, Ted Unangst wrote:
> > On 2/5/06, Dave Feustel <[hidden email]> wrote:
> > > Also, all x11 and kde sockets are created with permissions up to and
> > > including 777 that can be restricted with no loss of functionality. I now
> >
> > and how are other users going to connect to the socket then?
> >
> Since all six x11/kde sockets that I chmod to 600 have me as the owner,
> I assume that no one else should be connecting to those sockets.

Could you please stop beating this horse. Once again you show that
you do not understand the so called problem.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD security could be tightened up easily

dfeustel
Just for reference, here is the original post in this thread,
which for some reason, I do not find in the reverse misc archive.
-------------------------------------------------------------------
OpenBSD security could be tightened up easily
 Date: 2006-02-05 08:09
 From: Dave Feustel <[hidden email]>
 To: misc@
 
OpenBSD's handling of file permissions needs work.

Good security practice requires that root's default permission
set by umask should be 077. But setting root's umask to this
value breaks the package install mechanism since all files
installed by root with umask 077 are unavailable to users.

Also, all x11 and kde sockets are created with permissions up to and
including 777 that can be restricted with no loss of functionality. I now
routinely chmod all sockets in /tmp and $TMPDIR to 600 immediately
upon starting up kde and have seen no errors generated by this.

The problem with insecure [tp]ty allocation in kde is still not fixed
as far as I know, although I see a new kdelibs in errata.
(this problem occurs only in OpenBSD so far as I know),

It might also be a good idea to run pf by default with the
rule "block all in" to prevent intruders taking advantage of undiagnosed
security problems in kde or x11.  ALL of my strange problems with kde
have ceased since I started running pf with this rule.

Having said this, I would like to add that OpenBSD looks better
than ever to me now and I recommend it highly to people I talk to.
OpenBSD is the Rock upon which I build everything else.

Dave Feustel

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD security could be tightened up easily

chefren
In reply to this post by dfeustel
On 02/05/06 14:09, Dave Trollo Feustel wrote:

> It might also be a good idea to run pf by default with the
> rule "block all in" to prevent intruders taking advantage of undiagnosed
> security problems in kde or x11.  ALL of my strange problems with kde
> have ceased since I started running pf with this rule.

I strongly believe your "strange" problems were caused by the type of "good
security measures" you cluelessly propose now and then. That the "strange"
problems disappeared with pf on says nothing to me.

If you believe "OpenBSD security can be tightened up easily" you are definitely
trolling in the wrong church here, please use something else...

---chefren

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD security could be tightened up easily

Craig McCormick
In reply to this post by dfeustel
Being a genuine novice wrt OpenBSD, I am not overly qualified to pass
judgement here. However, I read pretty much everything that is posted
to misc@ and have read every one of Dave's troll-like rants, for the
last couple of months. Sorry Dave, but from here you appear to be either
a troll, an M$ employee or even more of a novice than I.

I would like to offer you some genuine advice:
Go out and buy "Absolute OpenBSD: UNIX for the Practical Paranoid"
By Michael Lucas - ISBN: 1886411999
(if you don't already own it) and before you do anything else, read
chapter 1, particularly page 17.

I apologise if I cause offence by posting this, but it has been really
getting on my nerves.

Regards
Craig

On Sun, 2006-02-05 at 08:09 -0500, Dave Feustel wrote:

> OpenBSD's handling of file permissions needs work.
>
> Good security practice requires that root's default permission
> set by umask should be 077. But setting root's umask to this
> value breaks the package install mechanism since all files
> installed by root with umask 077 are unavailable to users.
>
> Also, all x11 and kde sockets are created with permissions up to and
> including 777 that can be restricted with no loss of functionality. I now
> routinely chmod all sockets in /tmp and $TMPDIR to 600 immediately
> upon starting up kde and have seen no errors generated by this.
>
> The problem with insecure [tp]ty allocation in kde is still not fixed
> as far as I know, although I see a new kdelibs in errata.
> (this problem occurs only in OpenBSD so far as I know),
>
> It might also be a good idea to run pf by default with the
> rule "block all in" to prevent intruders taking advantage of undiagnosed
> security problems in kde or x11.  ALL of my strange problems with kde
> have ceased since I started running pf with this rule.
>
> Having said this, I would like to add that OpenBSD looks better
> than ever to me now and I recommend it highly to people I talk to.
> OpenBSD is the Rock upon which I build everything else.
>
> Dave Feustel