[BBLISA] Secure, authenticated file serving to untrusted clients

Dean Anderson dean at av8.com
Sat Apr 18 16:16:30 EDT 2009 

On Fri, 17 Apr 2009, Sean OMeara wrote:

> Grsecurity is stack protection and selinux is nothing more than extra
> metadata in filesystem inodes.

Selinux is a bit more than that. Becoming root doesn't get all
privileges, or any privileges, actually.  Under Selinux, every process
has a security tuple that is used in conjunction with a security policy
to determine what files it can open, close, modify, execute, system
calls it can execute (e.g. network) etc.  It also determines privilege
privilege transitions when a process is executed.  So root can't access
http files, but can start httpd process, which then gets the permissions
it needs to access files.  Selinux definitely has potential to slow down
a cracker---a little or a lot is hard to say. If the cracker gets kernel
loader privilege, like I said before, its all over.  But a lot of people
hope that's enough. I do hope they're right, but frankly, I'm keeping
other plans.

> If you can establish a tcp connection to an NFS(v3) (and are in the
> acl list), there is NOTHING an NFS server can do to prevent you from
> accessing every file on the share. If you control every node on the
> network, you can attempt to secure the clients so users cant get root,
> but what about the scenario of a userspace NFS client pretending to be
> root?

NFSv3 uses UDP, and was designed to be a stateless protocol.  But the
server can also be configured to ignore root, or be read-only.  NFSv3 is
definitely 'cooperative' only.

> Your only option is to have a protocol in place where a user needs to
> authenticate themselves to the share, be it a kerberos ticket or a
> password (cifs, for example).

> I hear that NFSv4 offers authentication via kerberos but I'm not sure
> if it's at the host or user level.

That's correct.  With NIS+, both host and user credentials are required.  
I can't remember if NFSv4 alone requires a host credential.

		--Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000

More information about the bblisa mailing list