web browser suid [was Preemptive strategies]
jan.dvorak at sitronicsts.com
Wed Oct 1 00:23:47 PDT 2008
On Wednesday 01 October 2008 02:59:57 Robert Connolly wrote:
> would also need to run around finding copies of updated libraries and
> programs which are in different chroots, unless we use hardlinks.. but
> this is a problem with different mount points.
It is possible to write a FUSE file system for this. One that takes a file
with fnmatch() patterns and only exports matching paths. It would work
across mount points etc., but will be a bit slower, so you can only use
it for binaries and libraries. You can even make it a bit more
intelligent and when the program completely loads, it can signalize the
file system to shutdown it's access to some paths. Well, it would be fast
enough for web browser and such. Apache would require `mount --bind` to
> I gotta say, running Lynx as a shared object while disallowing text
> relocations in the kernel,
It's not only text relocations, it's completely NX heap.
> with aslr, compiled with stack protection,
> run time buffer checking, pointer checking with libmudflap, on a system
> that only allows users to run files owned by the admin, in an empty
> change-root jail possibly mounted as an encrypted loop offset, with a
> random key, to enforce storage use, all enforced by access controls,
> would be stunning.
Now we need some way to prevent user from logging in to screw it all. :-)
> The same could be done with irc clients. The only
> way I can think of topping this is with my idea to setup a decoy
> system, with a plausibly deniable encrypted system in the decoy free
> space (aes converted to base64, so it doesn't make any sense if it's
> read raw).
I say, go for device-mapper and LVM, we can have much more fun that
More information about the hlfs-dev