1 / 14

June 9-10, 2000 JUS/K*BUG Seminars

Security Features in FreeBSD 4.0 M. Warner Losh Timing Solutions, Inc. FreeBSD Security Officer imp@FreeBSD.org http://www.freebsd.org/~imp/japan-00.ppt. June 9-10, 2000 JUS/K*BUG Seminars. Road Map to Talk. Introduction New technical features New organizational features

dawn
Download Presentation

June 9-10, 2000 JUS/K*BUG Seminars

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Features in FreeBSD 4.0M. Warner LoshTiming Solutions, Inc.FreeBSD Security Officerimp@FreeBSD.orghttp://www.freebsd.org/~imp/japan-00.ppt June 9-10, 2000 JUS/K*BUG Seminars

  2. Road Map to Talk • Introduction • New technical features • New organizational features • A closer look at jail(8) • Q & A

  3. New Technical Features • Jail(8) and chroot(2) enhancements • OpenSSL and OpenSSH • Many vulnerabilities from “ports” corrected • IPv6 and IPSec added • Secure telnet using SRA • New resource limits created • Bug fixes: many DoS issues corrected • ipfilter and ipfw improvements

  4. New Organizational Details • Total system approach to security • Mr. Kris Kennaway is now coordinates “ports” related security issues • Security advisories now issued for “ports” • FreeBSD system administrators members of security-officer ML • FreeBSD Auditing project • Security awareness activism

  5. A Closer Look at Jail(8) • Historical perspective • What is wrong with chroot? • What it adds over chroot(8) • How does jail(8) fix those problems? • A quick example • Where to find more information about jail(8)

  6. Historical Efforts • Chroot jails were constructed to help firewall systems. • Chroot was also used to segregate users from each other on highly secure machines • Chroot environments were used to allow multiple versions of software to run on the same machine unchanged

  7. Problems with chroot(8) • Can obtain or keep references outside of the chroot tree • Superuser still can do everything, including accessing the raw disk and mounting filesystems • Current directory doesn’t change, so it is easy to accidentally contaminate a chroot jail’s environment • Hard to make secure against root

  8. How is jail(2) Different than chroot(2)? • Chroot(2) only changes the root directory • Jail(2) does everything that chroot(2) does, as well as: • Changes directories to the root of the jail • Dilutes superuser abilities while in jail • Adds an IP address for use only by the jail • Restricts what jailed processes can see outside of the jail. • Jailed processes flagged as being in jail

  9. A quick example -- Setting up the tree D=/here/is/the/jail cd /usr/src make hierarchy DESTDIR=$D make obj make depend make all make install DESTDIR=$D cd etc make distribution DESTDIR=$D NO_MAKEDEV=yes cd $D/dev sh MAKEDEV jail cd $D ln -sf dev/null kernel

  10. An Example -- Configuration • Limit network services that listen on all ports: nfs, portmapper, inetd, sendmail, bind, etc • copy /stand/sysinstall to $D/stand/sysinstall • start jail: jail $D my-jail-name 10.0.0.1 /bin/sh • run /stand/sysinstall in jail to configure machine • setup timezone, add accounts, disable network interfaces, etc • exit jail

  11. A quick example -- starting the jail • Add alias to network interface • mount procfs in the jail’s /proc directory • start jail: jail $D my-jail-name 10.0.0.1 /bin/sh /etc/rc & • Let the jail do is thing. • To make this permanent, you’ll need to write a rc.d script to accomplish this on startup.

  12. Problems with jail(8) • Not a complete virtual machine • Large overhead in chroot trees • No management facilities for jailed processes • Can be hard to setup • NFS can get confused in jailed systems

  13. Where can I find more about jail(8)? • Man pages: jail(2), jail(8) • /usr/share/doc/papers/jail.ps • http://people.freebsd.org/~imp/jail.html

  14. Questions and Answers • 42 Warner Losh Timing Solutions, Inc. FreeBSD Security Officer imp@FreeBSD.org

More Related