Re: users, "private" groups, and The Unix Way (was, Re: Is it me or is it sudo?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/03/2012 08:10 AM, Joel Rees wrote:
> On Tue, Apr 3, 2012 at 3:27 PM, Tim <ignored_mailbox@xxxxxxxxxxxx>
> wrote: s/some/a lot of/
> 
> if you set it up right.

It can still do a fair amount of nasty stuff.

> "xhost local:<subuser-id>; sudo -u <subuser-id>" does pretty well
> with current applications.

You're allowing the local sandbox user to connect to the local X
server so any process running in one of your sandboxes can start a
connection to X and start looking for vulnerabilities to exploit.

Due to the elevated privilege with which X runs this could include
privilege escalations. There have been vulnerabilities of this kind in
the past that allowed an attacker to quickly gain a root shell given
the ability to connect to the X server.

> Now, if I'm going to my bank site, I do log out and log in as a
> different user, just to be extra safe.

I think you'd be better off taking a look at Daniel Walsh's blog posts
on confining X applications with the SELinux sandbox. The first post
introduces and explains the general sandbox concept:

http://danwalsh.livejournal.com/28545.html

And the follow up looks at extending this to untrusted X applications
using a temporary xguest account (with dynamic $HOME and $TMP) and the
Xephyr X-on-X server to provide much stronger separation between the
sandbox and the rest of the system:

http://danwalsh.livejournal.com/31146.html

Fedora already provides contexts to use with the sandbox such as
sandbox_x_t, sandbox_web_t, sandbox_net_t etc. depending on the
particular resources you want to allow the sandbox to access.

The post discusses future improvements to simplify retrieving files
from the sandbox when the application exits but I'm not sure of the
current status of that work.

Regards,
Bryn.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk96uScACgkQ6YSQoMYUY968AwCgnyewwjMMaCbla1i4hqiirUbI
gTgAn1m5CX/RoAY6h5cUOdd1VXfO0FcR
=6j1O
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux