[email protected] wrote:
> no, this won't help you much against local users, [...]
Pavel Machek wrote:
>Hmm, I guess I'd love "it is useless on multiuser boxes" to become
>standard part of AA advertising.
That's not quite what david@ said. As I understand it, AppArmor is not
focused on preventing attacks by local users against other local users;
that's not the main problem it is trying to solve. Rather, it's primary
purpose is to deal with attacks by remote bad guys against your network
servers. That is a laudable goal. Anything that helps reduce the impact
of remote exploits is bound to be useful, even if doesn't do a darn
thing to stop local users from attacking each other.
This means that AppArmor could still be useful on multiuser boxes,
even if that utility is limited to defending (some) network daemons
against remote attack (or, more precisely, reducing the damage done by
a successful remote attack against a network daemon).
Hi!
(Please do not drop me from cc list when replying).
> > no, this won't help you much against local users, [...]
>
> Pavel Machek wrote:
> >Hmm, I guess I'd love "it is useless on multiuser boxes" to become
> >standard part of AA advertising.
>
> That's not quite what david@ said. As I understand it, AppArmor is not
> focused on preventing attacks by local users against other local users;
> that's not the main problem it is trying to solve. Rather, it's primary
> purpose is to deal with attacks by remote bad guys against your network
> servers. That is a laudable goal.
It is also not going to prevent local users attacking network servers.
Local users can ln arbitrary files, and then play tricks with network
servers.
> This means that AppArmor could still be useful on multiuser boxes,
> even if that utility is limited to defending (some) network daemons
> against remote attack (or, more precisely, reducing the damage done by
> a successful remote attack against a network daemon).
Yes, if there's significantly more remote bad guys than local bad
guys, and if remote bad guys can't just get some local user first, AA
still has some value.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
On Thu, 24 May 2007 14:47:27 -0000, Pavel Machek said:
> Yes, if there's significantly more remote bad guys than local bad
> guys, and if remote bad guys can't just get some local user first, AA
> still has some value.
Experience over on the Windows side of the fence indicates that "remote bad
guys get some local user first" is a *MAJOR* part of the current real-world
threat model - the vast majority of successful attacks on end-user boxes these
days start off with either "Get user to (click on link|open attachment)" or
"Subvert the path to a website (either by hacking the real site or hijacking
the DNS) and deliver a drive-by fruiting when the user visits the page".
On Fri, 1 Jun 2007, [email protected] wrote:
> On Thu, 24 May 2007 14:47:27 -0000, Pavel Machek said:
>> Yes, if there's significantly more remote bad guys than local bad
>> guys, and if remote bad guys can't just get some local user first, AA
>> still has some value.
>
> Experience over on the Windows side of the fence indicates that "remote bad
> guys get some local user first" is a *MAJOR* part of the current real-world
> threat model - the vast majority of successful attacks on end-user boxes these
> days start off with either "Get user to (click on link|open attachment)" or
> "Subvert the path to a website (either by hacking the real site or hijacking
> the DNS) and deliver a drive-by fruiting when the user visits the page".
and if your local non-root user can create a hard link to /etc/shadow and
access it they own your box anyway (they can just set the root password to
anything they want). since I don't hear about this happening there are
other restrictions that prevent this anyway.
everyone recognises that AA has limits, but the way people are
emphisising these acknowledged limits is beginning to sound a bit shrill.
David Lang
On Fri 2007-06-01 11:00:50, [email protected] wrote:
> On Fri, 1 Jun 2007, [email protected] wrote:
>
> >On Thu, 24 May 2007 14:47:27 -0000, Pavel Machek said:
> >>Yes, if there's significantly more remote bad guys than local bad
> >>guys, and if remote bad guys can't just get some local user first, AA
> >>still has some value.
> >
> >Experience over on the Windows side of the fence indicates that "remote bad
> >guys get some local user first" is a *MAJOR* part of the current real-world
> >threat model - the vast majority of successful attacks on end-user boxes
> >these
> >days start off with either "Get user to (click on link|open attachment)" or
> >"Subvert the path to a website (either by hacking the real site or
> >hijacking
> >the DNS) and deliver a drive-by fruiting when the user visits the page".
>
> and if your local non-root user can create a hard link to /etc/shadow and
> access it they own your box anyway (they can just set the root password to
> anything they want).
I think you need to look how unix security works:
pavel@amd:/tmp$ ln /etc/shadow .
pavel@amd:/tmp$ cat shadow
cat: shadow: Permission denied
pavel@amd:/tmp$
Yes, regular users are permitted to hardlink shadow, no, it is not a
security hole, yes, it is a problem for AA.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html