Ethereal-dev: Re: Disector categories (Re: [Ethereal-dev] Priv sep in ethereal)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Todd T. Fries" <todd@xxxxxxxxx>
Date: Sat, 12 Feb 2005 01:01:38 -0600
You've got to be kidding.  `Lets trust a website to not be hijacked and give
us a list of no insecure modules at runtime...'  .. best case.

And what about running it offline?

This is not about having a program disable bad pieces on its own honor.

This is about making things secure by default, and allowing worst case
scenarios of an unprivileged user which has no permissions in a chroot jail
have a look around an empty directory structure.

Ever hear of privilege separation?

See Xorg, bgpd, dhclient, sshd, ospfd, syslogd, httpd, isakmpd, named,
xconsole, pflogd, ftpd, and I'm sure others I've missed that ship by default
privilege separated, where a very small set of code does very well defined
actions as root, and then lets a forked (different process/signal/etc space)
child that is chroot'ed and unprivileged do any `complicated' and `unverified'
behavior.  Oh, and lets not forget tcpdump which under OpenBSD no longer runs
as root during its packet inspection routines...

A few examples:

todd@blue/pd 636$ ps auwx | egrep "syslog[d]|pflog[d]|X[o]rg|xc[o]nsole|is[a]kmpd|n[a]med|d[h]client"
root     13277  0.0  0.1   136   496 ??  Is    10:17PM    0:00.01 syslogd: [priv] (syslogd)
_syslogd  5537  0.0  0.1   164   508 ??  S     10:17PM    0:00.15 syslogd -a /var/empty/dev/log
root     12984  0.0  0.0   384   336 ??  Is    10:17PM    0:00.00 pflogd: [priv] (pflogd)
_pflogd   6653  0.0  0.0   440   248 ??  S     10:17PM    0:00.40 pflogd: [running] -s 116 -f /var/log/pflog (pflogd)
root     16479  0.0  0.1  1500   384 ??  I     10:18PM    0:00.00 X: [priv] (Xorg)
root      5061  0.0  0.1   104   616 ??  I     10:18PM    0:00.00 xconsole: [priv] (xconsole)
_x11     18458  0.0  0.2   288  1868 ??  I     10:18PM    0:00.03 xconsole
_dhcp    31134  0.0  0.0   436   168 ??  Is    10:35PM    0:00.00 dhclient: bce0 (dhclient)
root     21213  0.0  0.0   996   308 ??  Is    10:42PM    0:00.01 isakmpd: monitor [priv] (isakmpd)
_isakmpd 29984  0.0  0.4  2960  2816 ??  S     10:42PM    0:01.43 /sbin/isakmpd
root      5179  0.0  0.1  1220   568 ??  Is    10:43PM    0:00.00 named: [priv] (named)
named    20524  0.0  0.5  3012  3548 ??  I     10:43PM    0:01.57 /usr/sbin/named
root     11645  0.0  0.0   392   224 C1  I     10:35PM    0:00.00 dhclient: bce0 [priv] (dhclient)
todd@blue/pd 637$ 

Perhaps you'll note the unprivileged children run with userids OpenBSD assigns
as starting with an underscore.  This makes the list of programs easy to
determine:

todd@blue/pd 637$ egrep "^_" /etc/passwd
_portmap:*:28:28:portmap:/var/empty:/sbin/nologin
_identd:*:29:29:identd:/var/empty:/sbin/nologin
_rstatd:*:30:30:rpc.rstatd:/var/empty:/sbin/nologin
_rusersd:*:32:32:rpc.rusersd:/var/empty:/sbin/nologin
_fingerd:*:33:33:fingerd:/var/empty:/sbin/nologin
_x11:*:35:35:X Server:/var/empty:/sbin/nologin
_kdc:*:59:59:Kerberos Server:/var/empty:/sbin/nologin
_kadmin:*:60:60:Kerberos Admin Server:/var/empty:/sbin/nologin
_spamd:*:62:62:Spam Daemon:/var/empty:/sbin/nologin
_isakmpd:*:68:68:isakmpd privsep:/var/empty:/sbin/nologin
_syslogd:*:73:73:Syslog Daemon:/var/empty:/sbin/nologin
_pflogd:*:74:74:pflogd privsep:/var/empty:/sbin/nologin
_bgpd:*:75:75:BGP Daemon:/var/empty:/sbin/nologin
_tcpdump:*:76:76:tcpdump privsep:/var/empty:/sbin/nologin
_dhcp:*:77:77:DHCP programs:/var/empty:/sbin/nologin
_mopd:*:78:78:MOP Daemon:/var/empty:/sbin/nologin
_tftpd:*:79:79:TFTP Daemon:/var/empty:/sbin/nologin
_rbootd:*:80:80:rbootd Daemon:/var/empty:/sbin/nologin
_afs:*:81:81:afs Daemon:/var/empty:/sbin/nologin
_ppp:*:82:82:PPP utilities:/var/empty:/sbin/nologin
_ntp:*:83:83:NTP Daemon:/var/empty:/sbin/nologin
_cvsd:*:104:104:CVS Daemon:/var/empty:/sbin/nologin
_spamdaemon:*:506:506::/nonexistent/_spamdaemon:/usr/bin/false
_ftp:*:84:84:FTP Daemon:/var/empty:/sbin/nologin
_postgresql:*:503:503:PostgreSQL Manager:/var/postgresql:/bin/sh
_dovecot:*:518:518:Dovecot Account:/nonexistent:/sbin/nologin
_privoxy:*:516:516:Privoxy Account:/nonexistent:/sbin/nologin
todd@blue/pd 638$ 

(and yes, we do allocate users for ports packages as well).

If you dare to implement such a thing in ethereal, you might find that bsd
people are more acceptive of software that at least doesn't run
bad-track-record code as root.  Of course, this does not exclude the
need for working on issues if found to be exploitable time after time
either...

My personal $.02 ...
-- 
Todd Fries .. todd@xxxxxxxxx

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| "..in support of free software solutions."  \  1.700.227.9094 (IAXTEL)
|                                             \          250797 (FWD)
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Penned by Stephen Samuel (leave the email alone) on Fri, Feb 11, 2005 at 05:55:51PM -0800, we have:
| It sounds like a good idea, although it should always be optional
| ( I.E. 'Just this once, | Always | Always Ask Me | Never' )
| 
| Given how ethereal is used, you can't always trust the network
| you're on to be usable (or even trusted).
| 
| I'm guessing that you'd also have to have/add versioning to the
| data stored about dissectors.
| 
| Gerald Combs wrote:
| > We can currently keep global and per-user lists of disabled protocols.
| > Could we use that as a basis for {en|dis}abling protocols according to
| > their level of trust?
| >
| > Also, would it be helpful to have Ethereal fetch a list of known bad
| > dissectors via the web at startup and give the user the option of
| > disabling them, similar to the security check Firefox performs at startup?
| >
| > Gilbert Ramirez wrote:
| >
| >>No, not defeatist, just realist, considering the current method of
| >>Ethereal development. But when I wrote that I didn't realize that the
| >>suggestion was a formal code auditing procedure. I agree; with that in
| >>effect, the categories would be "audited" and "not-yet-audited", which
| >>is more useful.
| 
| 
| -- 
| Stephen Samuel +1(604)876-0426             samnospam@xxxxxxxxxxx
| 		   http://www.bcgreen.com/
|    Powerful committed communication. Transformation touching
|      the jewel within each person and bringing it to light.
|