OpenBSD Journal

OpenBSD style systrace() sftp jail

Contributed by jose on from the enhanced-sftp-security dept.

rrm writes: "An OpenBSD systrace() style jail for sftp.

http://www.gtd5.net/public/projects/systrace_sftp_jail.tar.gz

I noticed this was lacking so i whipped it up.

Enjoy."

(Comments are closed)


Comments
  1. By Anonymous Coward () on

  2. By mirabile () on

    possibly make it into src/etc/systrace/ ?

    Comments
    1. By Luiz Gustavo () on

      Several others could be there as well, but we should account systrace policies tend to be very specific to certain scenarios.
      With care and further testing maybe we can make it worth.
      Plus it will help debug systrace more, with latest commits it became broken while interacting with tcpserver+publicfile.

  3. By schwack () Yes, I have email on mailto:Yes, I have email

    A few notes on this that I've observed today.

    On 3.4-stable, I had to add this to get the policy to work:

    native-fsread: filename eq "/usr/lib/libc.so.30.1" then permit
    native-fsread: filename eq "/usr/lib/libcrypto.so.10.0" then permit

    instead of .3

    The README instructs you to use the shell as /bin/stsftp. To be consistant that should really be /usr/local/bin/stsftp

    Also, for this to work, the policy in /etc/systrace has to be readable by the user.

    Comments
    1. By rrm () rrm@gtd5.net on http://www.gtd5.net

      I only run current. That's probably why you had problems with libraries.

    2. By Anonymous Coward () on

      >native-fsread: filename eq "/usr/lib/libc.so.30.1" >then permit
      >native-fsread: filename eq >"/usr/lib/libcrypto.so.10.0" then permit

      match "/usr/lib/libc*"

      Comments
      1. By rrm () rrm@gtd5.net on http://www.gtd5.net

        i'll give that a shot later today and see if it works, as i remember i was having problems with the match keyword, as in it wasn't matching on regex.

      2. By Alejandro Belluscio () baldusi@hotmail.com on mailto:baldusi@hotmail.com

        Which gives him access to:
        /usr/lib/libc.a
        /usr/lib/libc.so.29.0
        /usr/lib/libc_p.a
        /usr/lib/libc_pic.a
        /usr/lib/libcom_err.a
        /usr/lib/libcom_err_p.a
        /usr/lib/libcom_err_pic.a
        /usr/lib/libcompat.a
        /usr/lib/libcompat_p.a
        /usr/lib/libcrypto.a
        /usr/lib/libcrypto.so.9.0
        /usr/lib/libcrypto_p.a
        /usr/lib/libcrypto_pic.a
        /usr/lib/libcurses++.a
        /usr/lib/libcurses++.so.2.0
        /usr/lib/libcurses++_p.a
        /usr/lib/libcurses++_pic.a
        /usr/lib/libcurses.a
        /usr/lib/libcurses.so.9.0
        /usr/lib/libcurses_p.a
        /usr/lib/libcurses_pic.a

        In my 3.3-stable box.

        Comments
        1. By Anonymous Coward () on

          Holy Smokes!
          I felt owned for a second...

          Comments
          1. By rrm () rrm@gtd5.net on http://www.gtd5.net

            ok i made changes to the policy to allow different versions of required libraries, i put the globbing after the library name so it's more like:

            libc.so.*
            libcrypto.so.*

            seems to be working fine.

  4. By Anonymous Coward () on

    quite off topic but that fbsd tcp bug doesnt it affect openbsd too?

    Comments
    1. By Anonymous Coward () on

      yar. fixed (in stable) on the 3rd, current was fixed before that, so update.

  5. By Anonymous Coward () on

    A few notes on this policy, since everyone else seems to think it provides some level of security:

    native-fcntl: permit
    ^ this allows you to kill any process

    native-fchdir: permit
    ^ this allows you to change to any directory that you were able to open

    native-mprotect: permit
    native-mmap: permit
    ^ these allow you to execute arbitrary code in the task

    scroll down further in the policy to see all the files you can access

    this demonstrates a fundamental flaw of systrace: it provides no granularity for system calls that take file descriptors as arguments.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]