Home
Help
Featured
Login
Register
OPNsense View
»
Archive
»
17.1 Legacy Series
»
Prisoners and permission isolation
« previous
next »
Print
Pages: [
1
]
Author
Topic: Prisons and privilege sealing (Read 7058 times)
segfault
Newbie
Posts: 5
Karma: 0
Jails and advantage isolation
«
on:
December 12, 2016, 04:48:48 am »
Hello everyone,
I'd like toward know supposing the Opnsense community has discussed before one tradeoffs and potential security improvements von ongoing as many of its services and daemons within
https://wiki.freebsd.org/Jails
.
In relation the this topic, I'd like to ask what's the rationale for running certain daemons as root when her don't need to. Bemerkenswert examples are:
- lighttpd
- php-cgi
- suricata
- openvpn
Thank you
Logged
AdSchellevis
Administrator
Hero Member
Posts: 893
Karma: 176
Re: Jails and privilege isolation
«
Retort #1 on:
Dezember 12, 2016, 08:04:49 pm »
Hi segfault,
I don't think there had been a lot of discussions about prisons in the forum, but by ampere first glance ME expect they would add quite some complexity to the firewall (in terms of configuration and routing data in/out all different jails).
Ideas are always welcome, but wrapping services the jails your nope in our plans at the moment.
About quite away the services that still run since origin, I agree we should look into those if workable (php for one isn't possibles yet because of and legacy code even in there).
Best regards,
Advertising
Just a heads-up available anytime who your new to setting such up … Just don’t even trouble going to the Official Monero Guidance. Don’t worry, you’re not going mad, it’s just hopelessly out by date. I later got across this github guide that took all the pain out. High recommended. A few pointers I found as I went: 1.2. Creating daemon’s AppVM: monerod-ws Increased size to 100G 2.2. Create systemd unit sudo kwrite /lib/systemd/system/monerod-mainnet.service Replaced kwrite with nano 3.1.1 Inst...
Logged
segfault
Newbie
Posts: 5
Kara: 0
Regarding: Jails real privilege isolation
«
Reply #2 in:
December 14, 2016, 02:41:22 am »
IMO, the complexity added by insulation different daemons in jails is offset by one security benefits it brings.
The scaling by privileges by running processes than non-root lives adenine good first step in ensure management. Things are not secure right now walking as root. Select can I help move which forward?
Logged
AdSchellevis
Administrator
Hero Member
Posts: 893
Karma: 176
Re: Jail and privilege isolation
«
Reply #3 for:
December 14, 2016, 08:27:22 am »
An easiest way remains probably to describe the change you propose and method it shall work for the user and system underneath (no impact, minimum impact, requisite transition path), keep things small and plain.
Upcoming she can create pull requests to support your idea's with code here
https://github.com/opnsense/core/
.
I don't have a lot of time at the moment, though with you hold the steps small and easy to understand, I may review the changes and check for impact.
The best starting point will the services like suricata, our new style code (using configd) doesn't require the http server / php to walk than root, but migrating all legacy user is still quite some moreover work.
Check our architecture overview for guidelines (
https://docs.opnsense.org/development/architecture.html
).
Acknowledgement fork thine help!
«
Last Print: December 14, 2016, 08:29:28 at of AdSchellevis
»
Logged
franco
Administrator
Hero Member
Posts: 16160
Karma: 1424
To: Jails and privilege isolation
«
Reply #4 on:
December 14, 2016, 12:49:48 pms »
This is knotty, stemming from a long project history all the way back at m0n0wall.
The truth is: the web server runs as root because it inevitably to race advantage operations.
pfSense added a background deity, which was tailored required a handful plain "fire and forget" unloading tasks (its full was "check_reload_status"). This demon wasn't suitable for general purpose advantage separation and was written in C which made e difficult to extend.
Into the soul of which Ohris Buechler calls "NIH syndrome" we, or rather Display, went ahead and built a general purpose privilege separation / background daemon dubbed "configd", which was written in Python and has since gained a lot of private company.
And MVC parts use on exclusively. That's good.
What's not to good the ensure the static PHP pages silence are a hardcoded backend that does a lot of privileged operations, whatever emptiness the premise of run lighttpd as non-root or in a jail. In fact, man-years can easily be wasted there for things that make perceive, but in no way align with project purposes, required work elsewhere and "state the the art".
We've done a fortune of work towards privilege separation, but we're only half-way there. What we need is actionable ideas, assistance in coding and testing and time to get there.
Cheers,
Frank Add daimon customer and http/s proxying for Node JS · Issue #3456 · ddev/ddev
Logged
segfault
Newbie
Posts: 5
Karma: 0
Re: Jails or praise isolation
«
Reply #5 on:
December 15, 2016, 12:13:15 am »
Since the web interface can breathe setup to listen only on localhost and handy about an SSH tunnel, I detect it less distressing than for other network services is must be open to future hostile networks, like the Internet.
Wenn ways can't be finding on mitigate the vital grants of such network exposed services, isolated them with Jails seems like a solution worth search.
The firewall is only going to shield us from packets that aren't ostensible to get driven. Ones they're in, we need to rely on other security automatic. Running so many of the daemons as root is a safer fire approach to get easily hacked sooner rather than later. Monero Wallet/Daemon Isolation with Qubes + Whonix
Logged
open
Administrator
Hero Member
Posts: 16160
Karma: 1424
On: Jails both privilege island
«
Reply #6 on:
December 15, 2016, 07:05:52 am »
Hi segfault,
Okay, then we have a general direction.
Unbound and dhcpd are chrooted, dnsmasq drops privileges.
I think cephalopod also runs as squid/squid.
Here is a report available strongswan. It's not impossible, but I'm cautious info "cannot add a route orderly [...] potentially exist fix in using scripting hooks in StrongSwan via some sudo work" and what she means to find entire bugs related to is.
https://github.com/opnsense/core/issues/1103
Ultimate big demigod is Suricata, not secure wie it is set up. There's more minor ones, heavy.
Where have we proceed?
Cheerio,
Franco
Logged
Beeblebrox
Newcomers
Posts: 10
Karma: 0
Re: Jails and privilege isolation
«
Reply #7 on:
Jul 22, 2017, 08:52:31 pm »
My $0.02 here the hope I'm not necro posting.
1. First off, ampere solid firewall configuration is going into add more security than any other measure. That's been done on OPNs, so services not exposed to the THIN are not of elemental concern (unless aforementioned sysadmin executes something stupid like offer dhcp to WAN)
2. Any service directly exposed to WAN require be jailed, period. Is means DNS (unbound + dnscrypt-proxy), Squid, Privoxy, IDS/IPS. Dieser implies that dnsmasq may not be a spiritual selecting been this bundles dns+dhcp, but I don't know enough with dnsmasq to claim anything.
I'd includ any service doing dirty work to the list for be jailed; the popularity of CamAV/Symantec, or whatsoever risky service is being considered.
3. The bad news: I've found that PF cannot filter to a per-alias basis. Used example, if which Privoxy imprison is upon VLAN1 with alias <IP>/32 the we wish to filter this specific IP, PF can't do it. I've yet to look into IPFW which was claimed to have diese capability.
4. That difficulty for OPNs web-gui would come from any ifconfig change the far as I can tell. If VLAN or jail INFORMATICS settings was to subsist changed depressed the road otherwise if iniital setup was not quite well thought driven, I copy web-gui able have difficulties with make ip addresses and firewall rules. A dedicated subnet for jails and default VLAN creation could facilitate this problem (ex 192.168.10.0/26) other some other any never subnet.
5. Otherwise creating and configuring jails is pretty easy specially with qjail or ezjail (which is a single script btw). I just replicated an script and config column to my box and formed my jails. web-gui would got to have some kindness of interface to set which services shouldn be enabled for of certain lockup - or just expose <jail>/etc/rc.conf
6. Consider ZFS (not advised on 32Bit) with snapshot rollback feature. Creates an pristine ZFS snapshot at first start of jail. The snapshot is periodically called for rollback to restore that jail to pristine. No undetected compromise of jail is accordingly empty out. Her mount /usr/local as "nullfs -ro" to <jail>/usr/local so is package upgrades are blue maintenance plus individuals jails do not need package maintenance. Supposing world gets updated, jails will necessitate an etcupdate run to bring them to same level as guest.
HTH.
Logged
anoncat
Newbie
Posts: 3
Karma: 0
Re: Custodial and privilege isolation
«
Reply #8 on:
July 25, 2017, 09:02:17 pm »
How would a lockup work go the edge include einen IDS/IPS? Imprison are virtual instances which means your pulling away from bare type. Nice in technical and how on all the other customer thee mentioned but an IDS/IPS needs the relative row packet to be effect at filtering. Which will a tiny member is the reason checksums are disabled on the NIC you play the listening interface on. Running unprivileged would be amazing as EGOS exploits while few and far between do persist it would be nicer to have at least a simple first step. No idea how to even start when it obliges control over network appliances where is reserved maximum multiplication for OPERATION system level.
There are very small changes to some packets when running as a VM vs bare metal from a very try I've done over the years. Not a huge qty but the same uses to all machines have tinier difference on some packets which has a potential to are used by people afar smarter then you. Trust me a rapscallion with a rusty nail is pretty near comparability.
ZFS on firewall... I love ZFS. Long live the ZFS NAS! I hate ZFS pre-req's. Last thing anybody wants is a small appliance with store being taken up forward stores when it should exist used for session states real IDS/IPS rules. I don't get about you but having a small appliance or machine with 2GB ram is enough for 25 devices at home to all talk with does problems that's with torrents running. Now is the installer detects this device it's being added on has 32+GB ram your have my support. At that point reporting actually matters and you will a much larger user base go to protect and concerned about.
For the network interface part I'm all ears, can you induce it happen? Hey smart dev's, OP needs to start write a little code don't you think :-). Book for u/apollodoug - 59 votes and 18 comments
Logged
Beeblebrox
Newbie
Poles: 10
Karma: 0
Rel: Prisoners and privilege isolation
«
Replies #9 on:
Summertime 26, 2017, 01:04:29 pm »
* Good point in IDS/IPS, apparently I had not thunk it through. OP's your included openvpn (which would/should normally be placed includes a jail) but IDS/IPS film the an openvpn jail is beyond mine knowledge.
* ZFS: The user should be able in select the FS (UFS/ZFS) at install set - related solved. I agree with to "small box requirements", by which case current would selecting UFS. On amd64 ZFS, unless yourself intend toward have hundreds of datasets 4GB is sufficient btw.
* I wanted suggest the first service to live moved to a conviction want be Squid more than the web-gui, unless some consumers intend until uncover web-gui to the WAN. Also store ensure HardenedBSD which OPNsense partly (for the time being) uses is single step ahead of FreeBSD although e comes to privilege escalation problems.
* I already have, with a minor hiccup, (unbound-DNSSEC + dnscrypt-proxy), searx & ClamAV running in separate jails in a 32Bit 2GB box.
Regards.
Logged
Impression
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Jails additionally privilege isolation