A friend and I are having a rather long email discussion about security in Linux. He has raised some questions I don't know the answer to... maybe someone here on the list can help out. The discussion is centering around what happens if you are using Linux and someone sends you a malicious binary. If you save it to your /home/<user> and run it, not knowing it is something nasty, what can it do to your system? If you are running as <user> the worst I can imagine it could do is turf your files in /home/<user>. Is this possible assuming a compiled binary? If you can run application XYZ as <user> what is to stop that binary from running application XYZ as well (after you ran the binary and it is hovering in the background)? Can a program pretend to be <user> and execute applications as <user>? I am not talking about a simple text shell script that you can read... I am talking about a binary you cannot look at/into or see the source code.... essentially a Linux virus scenario. C.
On Monday 16 December 2002 16:24 pm, Clayton Cornell wrote:
A friend and I are having a rather long email discussion about security in Linux. He has raised some questions I don't know the answer to... maybe someone here on the list can help out.
The discussion is centering around what happens if you are using Linux and someone sends you a malicious binary. If you save it to your /home/<user> and run it, not knowing it is something nasty, what can it do to your system? If you are running as <user> the worst I can imagine it could do is turf your files in /home/<user>. Is this possible assuming a compiled binary?
If you are a TOTAL RAVING LOON ENOUGH TO RUN A BINARY just anyone sends you, then it could very easily do almost anything to your system including erase all the files or even clobber all your partitions. Point is: don't run things like that, and if you really, really want to, still don't do it... but then if someone points a gun to your head, run it as a simple user where the permissions should prevent it from doing much damage.
If you can run application XYZ as <user> what is to stop that binary from running application XYZ as well (after you ran the binary and it is hovering in the background)? Can a program pretend to be <user> and execute applications as <user>? I am not talking about a simple text shell script that you can read... I am talking about a binary you cannot look at/into or see the source code.... essentially a Linux virus scenario.
C.
If you're going to run binaries, anything is possible. The main thing about Linux is that it doesn't tend to run anything without someone actually giving a command to run it... as opposed to Winders, where things get run automatically by Outlook Express, or Exel, or any of the other goodies that Billy did so well at writing.... Macros, etc.. that are also hidden. -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 12/16/02 17:16 + +----------------------------------------------------------------------------+ "Those of you who think you know everything are annoying those of us who do."
If you are a TOTAL RAVING LOON ENOUGH TO RUN A BINARY just anyone sends you, then it could very easily do almost anything to your system including erase all the files or even clobber all your partitions.
I agree, but the point is, when you run into the situation where you have a user who views his/her computer as an appliance (like a toaster) and doesn't have the knowledge (or aren't smart enough) about the effects of running just any binary... well you end up with the same situation in Linux as the world currently has with Windows.... 75% of the malicious code called virii is just plain user ignorance. I was wondering if that same thing could potentially happen in Linux with a less than smart user.
The main thing about Linux is that it doesn't tend to run anything without someone actually giving a command to run it... as opposed to Winders, where things get run automatically by Outlook Express, or Exel, or any of the other goodies that Billy did so well at writing.... Macros, etc.. that are also hidden.
This is what saves the dumb user in Linux.. no auto run scripts unless you make it autorun (eg crontab). Anyway Ole's comments about NSA inux gives me something I can go research. C.
On Tuesday 17 December 2002 16:40, Clayton Cornell wrote:
If you are a TOTAL RAVING LOON ENOUGH TO RUN A BINARY just anyone sends you, then it could very easily do almost anything to your system including erase all the files or even clobber all your partitions.
Nope. Only if your are stupid enough to run it as root. If you are stupid enough to do this as root, you get what you deserve. This is simular to the evolution theory, survial of the fittest <grin>.
I agree, but the point is, when you run into the situation where you have a user who views his/her computer as an appliance (like a toaster) and doesn't have the knowledge (or aren't smart enough) about the effects of running just any binary... well you end up with the same situation in Linux as the world currently has with Windows.... 75% of the malicious code called virii is just plain user ignorance. I was wondering if that same thing could potentially happen in Linux with a less than smart user.
Nope. If the system administrator knows his job and relies on the *standard* unix protection, i.e. user -group-other, only the user files can be tampered with.
The main thing about Linux is that it doesn't tend to run anything without someone actually giving a command to run it... as opposed to Winders, where things get run automatically by Outlook Express, or Exel, or any of the other goodies that Billy did so well at writing.... Macros, etc.. that are also hidden.
Party true. But if it runs anything, it runs it as the user. With modern unix systems which uses KDE or GNOME, this is not true anymore. (I mean: automaticaly startup of programs when the window manager starts.)
This is what saves the dumb user in Linux.. no auto run scripts unless you make it autorun (eg crontab).
Nope. A user is never protected form its own stupidity. If a system doen't allow you to do stupid things, it automatically disallows you to do smart things. The *system* is protected, never the user.
Anyway Ole's comments about NSA inux gives me something I can go research.
C.
Don't bother. Rely on the standard unix protection. It has been enough for over 30 years. Regards, Cees.
A user is never protected form its own stupidity. If a system doen't allow you to do stupid things, it automatically disallows you to do smart things.
The *system* is protected, never the user.
I agree... in our (private) email discussion, I used an analogy to cars to try and point out the dumb user part of the equation.... <quote> Volvo is famous for making very safe cars. If you take a Volvo and smash it into a brick wall at 75km/h, do you have the right to claim that the car is no more safe than a Ford Pinto (famous for their exploding gastanks in the 1970s) because you were injured in the crash? No, definitely not. But under normal conditions you can claim the Volvo is a more safe and robust car, and does more to protect the occupants in the event of an accident than a Ford Pinto could ever hope to do. </quote>
Anyway Ole's comments about NSA inux gives me something I can go research. Don't bother. Rely on the standard unix protection. It has been enough for over 30 years.
This is more for my own information... and as part of the argument.... errr discussion I am having with my friend. It is not to actually do it on my own system... more to say "look, see it is possible to secure a Linux system much more so thanis ever possible with a MS based OS." C.
On Tuesday 17 December 2002 17:21, Clayton Cornell wrote:
A user is never protected form its own stupidity. If a system doen't allow you to do stupid things, it automatically disallows you to do smart things.
The *system* is protected, never the user.
I agree... in our (private) email discussion, I used an analogy to cars to try and point out the dumb user part of the equation....
<quote> Volvo is famous for making very safe cars. If you take a Volvo and smash it into a brick wall at 75km/h, do you have the right to claim that the car is no more safe than a Ford Pinto (famous for their exploding gastanks in the 1970s) because you were injured in the crash? No, definitely not. But under normal conditions you can claim the Volvo is a more safe and robust car, and does more to protect the occupants in the event of an accident than a Ford Pinto could ever hope to do. </quote>
Anyway Ole's comments about NSA inux gives me something I can go research.
Also take a look at: http://www.lids.org/ and http://lsm.immunix.org/.
Don't bother. Rely on the standard unix protection. It has been enough for over 30 years.
This is more for my own information... and as part of the argument.... errr discussion I am having with my friend. It is not to actually do it on my own system... more to say "look, see it is possible to secure a Linux system much more so thanis ever possible with a MS based OS."
C.
I'm not an MS expert, just the opsite, but I expect it is posible to secure a NT system. Your whole discusion with your friend is void. The most secure system sits in a dark, locked room with armed guards on the outside, without any connection to the outside world, without keyboard or monitor, without any removeable drives and preferable with the power switch in the off position. As you can imagine, it's quite hard to do anything usefull with such a machine, but it does have optimum security. Regards, Cees.
On Tue, Dec 17, 2002 at 04:40:40PM +0100, Clayton Cornell wrote:
I agree, but the point is, when you run into the situation where you have a user who views his/her computer as an appliance (like a toaster) and doesn't have the knowledge (or aren't smart enough) about the effects of running just any binary... well you end up with the same situation in Linux as the world currently has with Windows.... 75% of the malicious code called virii is just plain user ignorance. I was wondering if that same thing could potentially happen in Linux with a less than smart user.
No, at least not in the same way. File access permissions make it more difficult for these things to work in a Linux/UNIX environment. As long as these things are not run as root, and there are no unpatched security holes in your system that the binary can exploit, then only the original user's files should be in danger. Victor
On Mon, 16 Dec 2002, Clayton Cornell wrote:
A friend and I are having a rather long email discussion about security in Linux. He has raised some questions I don't know the answer to... maybe someone here on the list can help out.
The discussion is centering around what happens if you are using Linux and someone sends you a malicious binary. If you save it to your /home/<user> and run it, not knowing it is something nasty, what can it do to your system? If you are running as <user> the worst I can imagine it could do is turf your files in /home/<user>. Is this possible assuming a compiled binary?
Under normal circumstances, yes, and yes. The program will normally only be able to squash all your user's files. However, if your user is a member of the disk group, that user actually has write access to the harddisk and all partitions on it, so a malicious program could destroy any data (or transmit it to third parties over the net.)
If you can run application XYZ as <user> what is to stop that binary from running application XYZ as well (after you ran the binary and it is hovering in the background)? Can a program pretend to be <user> and execute applications as <user>?
Since <user> runs the program, it does not pretend to be <user> - it IS <user>!
I am not talking about a simple text shell script that you can read... I am talking about a binary you cannot look at/into or see the source code.... essentially a Linux virus scenario.
What you are talking about here is not really a virus but a trojan, but I am nitpicking now. The rest of this message may be inaccurate. It is based on my memory of an article I read a year or so ago. One possible answer to your question is the NSA version of the Linux kernel. With NSA Linux, permissions are controlled in much higher detail. A specific program can have "negative permissions" for files. Let's take Mozilla as an example. I only use Mozilla for browsing the net and downloading files once in a while, so I give it read/write permission on my download directory and /home/user/.mozilla and whatever other places it needs to function as a browser. I give it negative permissions everywhere else. Now, when I as a user start a program, the kernel takes the most restrictive combination of my own permissions and those of the program, and that defines what the program can do. Those restrictions are inherited if the program starts other programs, and if those programs have further restrictions, they will also be applied. So, when I start Mozilla, it will not be able to read my personal documents in my home directory. In this case, you could set exactly what you want the program to be able to destroy before you risk running it. Regards Ole
The rest of this message may be inaccurate. It is based on my memory of an article I read a year or so ago.
One possible answer to your question is the NSA version of the Linux kernel. With NSA Linux, permissions are controlled in much higher detail. A specific program can have "negative permissions" for files.
Let's take Mozilla as an example. I only use Mozilla for browsing the net and downloading files once in a while, so I give it read/write permission on my download directory and /home/user/.mozilla and whatever other places it needs to function as a browser. I give it negative permissions everywhere else.
Now, when I as a user start a program, the kernel takes the most restrictive combination of my own permissions and those of the program, and that defines what the program can do. Those restrictions are inherited if the program starts other programs, and if those programs have further restrictions, they will also be applied. So, when I start Mozilla, it will not be able to read my personal documents in my home directory.
In this case, you could set exactly what you want the program to be able to destroy before you risk running it.
Thanks to your remembering that article you read, I was able to do soem digging on NSA Linux. Looks to me like your memory works pretty good. http://www.nsa.gov/selinux/faq.html Essentially is confirms what you said above, and essentially provides the level of security that my friend (a longtime Windows supporter) thinks is absolutely not possible in Linux. Cool. ;-) Another nail in the Windows coffin. C.
On Monday 16 December 2002 7:31 pm, Ole Kofoed Hansen wrote:
Let's take Mozilla as an example. I only use Mozilla for browsing the net and downloading files once in a while, so I give it read/write permission on my download directory and /home/user/.mozilla and whatever other places it needs to function as a browser. I give it negative permissions everywhere else.
Now, when I as a user start a program, the kernel takes the most restrictive combination of my own permissions and those of the program, and that defines what the program can do. Those restrictions are inherited if the program starts other programs, and if those programs have further restrictions, they will also be applied. So, when I start Mozilla, it will not be able to read my personal documents in my home directory.
In this case, you could set exactly what you want the program to be able to destroy before you risk running it.
Regards
Ole Newbie question for you Ole, How do you set permissions for what mozilla can do? I know chmod and who can do what with the program, but not what the program can do.
or have you made a mozilla user? and added that to downloads? any help info would be appreciated. or any links? Thanks -- Franklin Maurer <nebbish@sprynet.com> Using SuSE 8.1.
On Tue, 17 Dec 2002, Franklin Maurer wrote:
On Monday 16 December 2002 7:31 pm, Ole Kofoed Hansen wrote:
Let's take Mozilla as an example. I only use Mozilla for browsing the net and downloading files once in a while, so I give it read/write permission on my download directory and /home/user/.mozilla and whatever other places it needs to function as a browser. I give it negative permissions everywhere else.
Now, when I as a user start a program, the kernel takes the most restrictive combination of my own permissions and those of the program, and that defines what the program can do. Those restrictions are inherited if the program starts other programs, and if those programs have further restrictions, they will also be applied. So, when I start Mozilla, it will not be able to read my personal documents in my home directory.
In this case, you could set exactly what you want the program to be able to destroy before you risk running it.
Regards
Ole Newbie question for you Ole, How do you set permissions for what mozilla can do? I know chmod and who can do what with the program, but not what the program can do.
or have you made a mozilla user? and added that to downloads? any help info would be appreciated.
or any links?
The part of my message that you asked about was based on my memory of what NSA's kernel modifications and utilities can do. I have not tried it myself, and I would not suggest a newbie to try it either. For more information about the NSA stuff, look at: http://www.nsa.gov/selinux/ Regards Ole
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 17 December 2002 13:43, Ole Kofoed Hansen wrote:
On Tue, 17 Dec 2002, Franklin Maurer wrote: The part of my message that you asked about was based on my memory of what NSA's kernel modifications and utilities can do.
And you were correct.
I have not tried it myself, and I would not suggest a newbie to try it either.
I tried it. THe only documentation is a few technical white papers and it's the hardest technical literature I ever read. Terribly abstract. There is only 1 or 2 other SuSE users trying it that I am aware of. I gave up after 2 months of working on it because my company decided to drop the project. This is not the thing to do if you are a newbie or short on time. On the other hand, if you have the time to spend on it, it is an excellant project, and if you need a hight level of security I don't think anything beats NSA.
For more information about the NSA stuff, look at: http://www.nsa.gov/selinux/
- ---------------------------------------------------- Jonathan Wilson Cedar Creek Software http://www.cedarcreeksoftware.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9/47cQ5u80xXOLBcRAhMcAJwJEJ8AEQBFGfLZDjO0ISXeiD7H5QCghfHx HvEQyCSE0q7OQ9x6EFW83HI= =NuTZ -----END PGP SIGNATURE-----
On Tue, 17 Dec 2002 20:43:35 +0100 (CET) Ole Kofoed Hansen <ole@sandbox.adsl.dk> wrote:
Ole Newbie question for you Ole, How do you set permissions for what mozilla can do? I know chmod and who can do what with the program, but not what the program can do.
or have you made a mozilla user? and added that to downloads? any help info would be appreciated.
or any links?
The part of my message that you asked about was based on my memory of what NSA's kernel modifications and utilities can do. I have not tried it myself, and I would not suggest a newbie to try it either.
For more information about the NSA stuff, look at: http://www.nsa.gov/selinux/
There is also the grsecurity kernel patch which works quite well. It's advanced features let you set specific limits on what each executable can do. It gets tricky though, because if you really tighten up security, apps like X won't run, because of the poor initial design. But the grsecurity apps will let you specifically exempt certain executables from restrictions. http://www.grsecurity.net But the patch is worthwhile just for it's simpler features, like randomized pids, proc restrictions, and control over user socket access. -- use Perl; #powerful programmable prestidigitation
Hi As a general rule, yes, it can do everything You can do as that user. It can do whatever it wants to Your files. But accessing the vital system is another thing, and that is not very easy thing to do, but it is possible. To prevent this requires a admin that is up to the task of cleaning the system properly, or better yet, installing the system from ground up. There must be others who are able to answer this more in details than me... Jaska. Viestissä Maanantai 16. Joulukuuta 2002 23:24, Clayton Cornell kirjoitti:
A friend and I are having a rather long email discussion about security in Linux. He has raised some questions I don't know the answer to... maybe someone here on the list can help out.
The discussion is centering around what happens if you are using Linux and someone sends you a malicious binary. If you save it to your /home/<user> and run it, not knowing it is something nasty, what can it do to your system? If you are running as <user> the worst I can imagine it could do is turf your files in /home/<user>. Is this possible assuming a compiled binary?
If you can run application XYZ as <user> what is to stop that binary from running application XYZ as well (after you ran the binary and it is hovering in the background)? Can a program pretend to be <user> and execute applications as <user>? I am not talking about a simple text shell script that you can read... I am talking about a binary you cannot look at/into or see the source code.... essentially a Linux virus scenario.
C.
On Mon, Dec 16, 2002 at 10:24:44PM +0100, Clayton Cornell wrote:
The discussion is centering around what happens if you are using Linux and someone sends you a malicious binary. If you save it to your /home/<user> and run it, not knowing it is something nasty, what can it do to your system?
Most executables run with all the rights of the user that ordered them to run. This means that they can read, write, create, delete, and execute any other file as long as they have adequate permissions. The only exception to the above is when an executable file is SUID. In that case it runs with all the rights of the owner of the file. Victor
participants (9)
-
Bruce Marshall -
Cees van de Griend -
Clayton Cornell -
Franklin Maurer -
jaakko tamminen -
JW -
Ole Kofoed Hansen -
Victor R. Cardona -
zentara