Author Topic: Safe Chrooted SSH Environments  (Read 11463 times)

0 Members and 1 Guest are viewing this topic.

Offline LordVader

  • Full Member
  • ***
  • Posts: 113
  • Knowledge is power.
    • View Profile
    • James Moss on the web!
Safe Chrooted SSH Environments
« on: May 28, 2007, 02:56:16 pm »
What would you guys consider safe as far as a list of apps goes, mainly looking for what would be considered:
"Must have apps"
like nano/vim etc..

Don't need to list core things like unzip/zip/tar etc.
I'm more interested in other apps that help ssh be descently usable for general users but not overboard and risky.
Keeping in mind that the more that get's added raises the risk of exploits to break out of chroot..
so minimal is good.. but still usable average users wanting to do some editing and the like.

Offline Newby

  • Moderator
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Safe Chrooted SSH Environments
« Reply #1 on: May 28, 2007, 02:59:07 pm »
Ehh, text editors like vim are pretty risky (at least FreeBSD keeps telling me that when I install it). Get root with vim, and you win. Especially since vim has a shell command in it. :P
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline LordVader

  • Full Member
  • ***
  • Posts: 113
  • Knowledge is power.
    • View Profile
    • James Moss on the web!
Re: Safe Chrooted SSH Environments
« Reply #2 on: May 28, 2007, 03:07:33 pm »
True, but if we do a good job setting up the chroot environment are there any you would consider safe enuff to allow a user to use?

And what about other tools is there any you would consider necessary if you had a user acct on a website, and that came with email,ssh,ftp login etc..
Would you be fine being forced to use ftp to to do all editing thru or would you want wget/nano/vim(similar)..

I realise not having the editor is the safer route but looking for possible idea's on what could be somewhat safe as far as extra tools go, and also what ppl consider "must have tools" beyond tar/zip type apps in ssh etc.

So ppl know what I consider core my current apps listing for the chroot web ssh environments:
APPS="/usr/bin/mysqldump /usr/bin/mysql /usr/lib/openssh/sftp-server /bin/bash /bin/ls /bin/cp /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/unzip /usr/bin/zip /bin/tar /usr/bin/dircolors /usr/bin/wget"
« Last Edit: May 28, 2007, 03:13:44 pm by LordVader »

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Safe Chrooted SSH Environments
« Reply #3 on: May 28, 2007, 03:08:20 pm »
Ehh, text editors like vim are pretty risky (at least FreeBSD keeps telling me that when I install it). Get root with vim, and you win. Especially since vim has a shell command in it. :P

What?

vim is safe...its applications that require suid or root privileges to run that you want to be careful with, especially those that accept remote connections.
An adorable giant isopod!

Offline LordVader

  • Full Member
  • ***
  • Posts: 113
  • Knowledge is power.
    • View Profile
    • James Moss on the web!
Re: Safe Chrooted SSH Environments
« Reply #4 on: May 28, 2007, 03:18:20 pm »
Ehh, text editors like vim are pretty risky (at least FreeBSD keeps telling me that when I install it). Get root with vim, and you win. Especially since vim has a shell command in it. :P

What?

vim is safe...its applications that require suid or root privileges to run that you want to be careful with, especially those that accept remote connections.

@nslay:
So outside of unforseen exploits in vim/nano/other generally safe use apps causing them them directly get root or suid(0/1) priv's, you don't see a problem?

So I guess as long as the app is fairly secure in itself and run as the user and not root/suid(0/1) etc.
It would be considered fairly safe to allow a user access to..
Keeping in mind backups can reverse most dmg if something did happen, then just figure out what happend and remove or fix the app used that caused the failure..
« Last Edit: May 28, 2007, 03:34:03 pm by LordVader »

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Safe Chrooted SSH Environments
« Reply #5 on: May 28, 2007, 04:06:04 pm »
Ehh, text editors like vim are pretty risky (at least FreeBSD keeps telling me that when I install it). Get root with vim, and you win. Especially since vim has a shell command in it. :P

What?

vim is safe...its applications that require suid or root privileges to run that you want to be careful with, especially those that accept remote connections.

@nslay:
So outside of unforseen exploits in vim/nano/other generally safe use apps causing them them directly get root or suid(0/1) priv's, you don't see a problem?

So I guess as long as the app is fairly secure in itself and run as the user and not root/suid(0/1) etc.
It would be considered fairly safe to allow a user access to..
Keeping in mind backups can reverse most dmg if something did happen, then just figure out what happend and remove or fix the app used that caused the failure..
vim doesn't need suid to run.  Exploiting vim gets you nothing unless root happens to be running the vim you exploited.
The reason I note suid applications are dangerous is because exploiting those can get you root privileges ... vim is not one of these.
An example of a suid application is ping
Quote
107 16526 -r-sr-xr-x 1 root wheel 68360 23296 "May 24 19:38:52 2007" "Feb  4 04:10:46 2007" "Feb  4 04:10:46 2007" "Feb  4 04:10:46 2007" 4096 48 0 /sbin/ping
You may notice many shell providers do not have ping for that and other reasons :P
An adorable giant isopod!

Offline LordVader

  • Full Member
  • ***
  • Posts: 113
  • Knowledge is power.
    • View Profile
    • James Moss on the web!
Re: Safe Chrooted SSH Environments
« Reply #6 on: May 28, 2007, 04:14:59 pm »
Ahh good to know, from what I can see when I:
ps aux

I see ping being executed by the user that executed ping, not root/suid(0) so I'm assuming it's safe on my system..
eg not using root/suid(0)

Tho I may be mistaken..

This is on a debian linux box.

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Safe Chrooted SSH Environments
« Reply #7 on: May 28, 2007, 04:25:37 pm »
Ahh good to know, from what I can see when I:
ps aux

I see ping being executed by the user that executed ping, not root/suid(0) so I'm assuming it's safe on my system..
eg not using root/suid(0)

Tho I may be mistaken..

This is on a debian linux box.

That's because ping resigns root privileges after attaining a SOCK_RAW socket. (if you're curious how that works, man setuid(2))
EDIT: That doesn't mean ping is 100% free of exploits...the getopt() functionality used by ping to parse command line arguments, for example, might have some sort of buffer overflow somewhere. (see getopt(3))
An adorable giant isopod!

Offline LordVader

  • Full Member
  • ***
  • Posts: 113
  • Knowledge is power.
    • View Profile
    • James Moss on the web!
Re: Safe Chrooted SSH Environments
« Reply #8 on: May 28, 2007, 04:45:26 pm »
Thx for the info, very helpfull.

Offline Newby

  • Moderator
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Safe Chrooted SSH Environments
« Reply #9 on: May 28, 2007, 05:25:57 pm »
vim doesn't need suid to run.  Exploiting vim gets you nothing unless root happens to be running the vim you exploited.
The reason I note suid applications are dangerous is because exploiting those can get you root privileges ... vim is not one of these.

What if the exploit is something of an overflow and some shellcode escalates your privileges and gets you root?

Ohyeah: no compiler on your chrooted environment, either. :P
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Safe Chrooted SSH Environments
« Reply #10 on: May 28, 2007, 06:22:36 pm »
What if the exploit is something of an overflow and some shellcode escalates your privileges and gets you root?

Because that's an extremely unlikely situation.

If it's considered dangerous, it probably means that it's dangerous to give it suid or sudo access, since shell commands can be run through it (:!ls).

vim doesn't need suid to run.  Exploiting vim gets you nothing unless root happens to be running the vim you exploited.
The reason I note suid applications are dangerous is because exploiting those can get you root privileges ... vim is not one of these.
Well, if somebody sends you a malicious textfile, and you opened it, and it exploited vim as your user account, it's game over. Once something has access to your user, it's a small jump for it to get access to root. I'd link to a blog I just wrote about that, but it's not published yet. :)

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Safe Chrooted SSH Environments
« Reply #11 on: May 28, 2007, 11:21:57 pm »
What if the exploit is something of an overflow and some shellcode escalates your privileges and gets you root?

Because that's an extremely unlikely situation.

If it's considered dangerous, it probably means that it's dangerous to give it suid or sudo access, since shell commands can be run through it (:!ls).

vim doesn't need suid to run.  Exploiting vim gets you nothing unless root happens to be running the vim you exploited.
The reason I note suid applications are dangerous is because exploiting those can get you root privileges ... vim is not one of these.
Well, if somebody sends you a malicious textfile, and you opened it, and it exploited vim as your user account, it's game over. Once something has access to your user, it's a small jump for it to get access to root. I'd link to a blog I just wrote about that, but it's not published yet. :)

That's not true at all, it's not a simple jump.  Thats the point of root vs user!  There are many public shells available, none of which are routinely exploited as you suggest.  Big deal if a user is exploited?
I know Linux is infamous for being the Windows of the Unix world, and I love to cite SDF's (Public Access Unix, est. 1987) bad security experiences with Linux, but this is not generally true among other flavors of Unix!
An adorable giant isopod!

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Safe Chrooted SSH Environments
« Reply #12 on: May 28, 2007, 11:22:24 pm »
vim doesn't need suid to run.  Exploiting vim gets you nothing unless root happens to be running the vim you exploited.
The reason I note suid applications are dangerous is because exploiting those can get you root privileges ... vim is not one of these.

What if the exploit is something of an overflow and some shellcode escalates your privileges and gets you root?

Ohyeah: no compiler on your chrooted environment, either. :P

Nothing wrong with compilers either.
An adorable giant isopod!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Safe Chrooted SSH Environments
« Reply #13 on: May 29, 2007, 09:00:36 am »
That's not true at all, it's not a simple jump.  Thats the point of root vs user!  There are many public shells available, none of which are routinely exploited as you suggest.  Big deal if a user is exploited?
I know Linux is infamous for being the Windows of the Unix world, and I love to cite SDF's (Public Access Unix, est. 1987) bad security experiences with Linux, but this is not generally true among other flavors of Unix!
If your user account gets exploited, it can alter the running instance of bash (or ksh, sh, zsh, whatever). The next time you run "su" or "sudo", it can redirect the command and grab root.

It is very hard to defend against that attack, and I don't really think it's possible in all cases.

I'm going to ask the editor to post my blog for tomorrow, where I discuss that attack. :)

<Edit> nevermind, it posted this morning! http://www.symantec.com/enterprise/security_response/weblog/2007/05/the_danger_of_speling_mistakes.html

Basically, it outlines two really simple attacks on "sudo". And these attacks aren't a weakness in sudo, they're a weakness in multi-user separation.

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Safe Chrooted SSH Environments
« Reply #14 on: May 29, 2007, 11:00:54 am »
That's not true at all, it's not a simple jump.  Thats the point of root vs user!  There are many public shells available, none of which are routinely exploited as you suggest.  Big deal if a user is exploited?
I know Linux is infamous for being the Windows of the Unix world, and I love to cite SDF's (Public Access Unix, est. 1987) bad security experiences with Linux, but this is not generally true among other flavors of Unix!
If your user account gets exploited, it can alter the running instance of bash (or ksh, sh, zsh, whatever). The next time you run "su" or "sudo", it can redirect the command and grab root.

It is very hard to defend against that attack, and I don't really think it's possible in all cases.

I'm going to ask the editor to post my blog for tomorrow, where I discuss that attack. :)

<Edit> nevermind, it posted this morning! http://www.symantec.com/enterprise/security_response/weblog/2007/05/the_danger_of_speling_mistakes.html

Basically, it outlines two really simple attacks on "sudo". And these attacks aren't a weakness in sudo, they're a weakness in multi-user separation.

From the sound of it, it doesn't seem he is going to give su or sudo access to his users.
P.S. sudo sucks. su + wheel forever. :)
An adorable giant isopod!