From ray at cyth.net Sun May 1 03:08:26 2005 From: ray at cyth.net (Ray) Date: Sun May 1 14:48:46 2005 Subject: [Systrace] Question regarding the security of systrace In-Reply-To: <200504280950.43405.johannes.nicolai@hpi.uni-potsdam.de> References: <200504280950.43405.johannes.nicolai@hpi.uni-potsdam.de> Message-ID: <20050501070826.GA4060@syntax.cyth.net> You should be fine. Just add a dedicated user for running this program, systrace -ai it and don't worry. At the very least you won't be worse off than running it without systrace. -Ray- On Thu, Apr 28, 2005 at 09:50:43AM +0200, Johannes Nicolai wrote: > Hi, > > I hope, that I do not annoy anybody on this list when I ask what you think > about: > http://cert.uni-stuttgart.de/archive/bugtraq/2004/03/msg00282.html > > I know that Marius has already responded to this claim in: > http://www.monkey.org/openbsd/archive/misc/0403/msg01611.html > > I am not a security expert, so I ask you how serious do you think the > mentioned "bugs" are and if there are any new information about it. > > To precise my question: I like to use systrace for the next world championship > of RealTimeBattle (http://realtimebattle.sf.net) in order to protect the > machine for potential malicious programs (some competitors only send binary > code) that do not only act as robots in the game but also try to do harm or > influence other processes. > > The robots can only execute a few system calls, communicate with their team > mates via Unix Domain Sockets in a special directory and access configuration > files in this directory. > > They won't be allowed to fork or to ptrace (exevcve is okay). > > I wonder whether one can exploit systrace if only this limited set of system > calls is allowed at all. > > Perhaps you can help me with this question. > > Thanks in advance > > Johannes Nicolai > _______________________________________________ > systrace mailing list > systrace@systrace.org > http://systrace.org/mailman/listinfo/systrace -Ray- From johannes.nicolai at hpi.uni-potsdam.de Mon May 2 13:55:37 2005 From: johannes.nicolai at hpi.uni-potsdam.de (Johannes Nicolai) Date: Mon May 2 13:55:43 2005 Subject: [Systrace] Granularity of ioctl and fcntl Message-ID: <200505021955.37878.johannes.nicolai@hpi.uni-potsdam.de> Hi, I have attached a little program to demonstrate how one can use fcntl (the same is true for ioctl) to kill an arbitrary process that you were also able to kill with the kill command. However, systrace only gives me the opprtunity to deny or permit fnctl / ioctl at all but no translations are available to decide this regarding the flags for the system call. Perhaps (I hope so) I am wrong with this statement and there is a way to do it. If so please tell me. If not, please tell me how I can implement it or if a new version of systrace will cover this feature. Thanks in advance Johannes Nicolai -------------- next part -------------- A non-text attachment was scrubbed... Name: funnykill.c Type: text/x-csrc Size: 735 bytes Desc: not available Url : http://monkeymail.org/archives/systrace/attachments/20050502/78c22b8c/funnykill.bin From johannes.nicolai at hpi.uni-potsdam.de Mon May 2 14:09:03 2005 From: johannes.nicolai at hpi.uni-potsdam.de (Johannes Nicolai) Date: Mon May 2 14:09:08 2005 Subject: [Systrace] suid programs Message-ID: <200505022009.04015.johannes.nicolai@hpi.uni-potsdam.de> Is there any way to determine if the program that should be executed with execv /... is an suid program? Thanks in advance for an answer Johannes Nicolai From johannes.nicolai at hpi.uni-potsdam.de Mon May 2 14:10:43 2005 From: johannes.nicolai at hpi.uni-potsdam.de (Johannes Nicolai) Date: Mon May 2 14:10:46 2005 Subject: [Systrace] Means and usage of templates Message-ID: <200505022010.43597.johannes.nicolai@hpi.uni-potsdam.de> Hello, unfortunately, I was not able to find any documentation concerning the usage of templates in systrace. I have only found this term in the source code and was (yet) to lazy to figure out what it means out of it. Johannes Nicolai From provos at citi.umich.edu Mon May 2 14:32:31 2005 From: provos at citi.umich.edu (Niels Provos) Date: Mon May 2 14:32:33 2005 Subject: [Systrace] suid programs In-Reply-To: <200505022009.04015.johannes.nicolai@hpi.uni-potsdam.de> References: <200505022009.04015.johannes.nicolai@hpi.uni-potsdam.de> Message-ID: <20050502183231.GA22827@citi.citi.umich.edu> On Mon, May 02, 2005 at 08:09:03PM +0200, Johannes Nicolai wrote: > Is there any way to determine if the program that should be executed with > execv /... is an suid program? Systrace itself does not know if an application is sugid. Presumably, you could check via userland but that leads to TOCTOU problems. Kernel support could help with that. But presumably, sugid applications are not lying around randomly on the system. Niels. From ray at cyth.net Mon May 2 14:26:58 2005 From: ray at cyth.net (Ray) Date: Mon May 2 14:33:22 2005 Subject: [Systrace] suid programs In-Reply-To: <200505022009.04015.johannes.nicolai@hpi.uni-potsdam.de> References: <200505022009.04015.johannes.nicolai@hpi.uni-potsdam.de> Message-ID: <20050502182658.GA15378@syntax.cyth.net> On Mon, May 02, 2005 at 08:09:03PM +0200, Johannes Nicolai wrote: > Is there any way to determine if the program that should be executed with > execv /... is an suid program? In the policy of the program being run you can add ", if user = root" to each rule. However, this won't distinguish between a suid program and a program run by root. -Ray- From ray at cyth.net Mon May 2 14:31:44 2005 From: ray at cyth.net (Ray) Date: Mon May 2 14:33:22 2005 Subject: [Systrace] Means and usage of templates In-Reply-To: <200505022010.43597.johannes.nicolai@hpi.uni-potsdam.de> References: <200505022010.43597.johannes.nicolai@hpi.uni-potsdam.de> Message-ID: <20050502183144.GB15378@syntax.cyth.net> On Mon, May 02, 2005 at 08:10:43PM +0200, Johannes Nicolai wrote: > unfortunately, I was not able to find any documentation concerning the usage > of templates in systrace. I have only found this term in the source code and > was (yet) to lazy to figure out what it means out of it. >From the README in : Templates for OpenBSD/NetBSD. Untar either in /etc/systrace/ or $HOME/.systrace/ Make sure that their are readable. The wizard button allows you to generate policies quickly. -Ray- From provos at citi.umich.edu Mon May 2 17:46:21 2005 From: provos at citi.umich.edu (Niels Provos) Date: Mon May 2 17:46:23 2005 Subject: [Systrace] Granularity of ioctl and fcntl In-Reply-To: <200505021955.37878.johannes.nicolai@hpi.uni-potsdam.de> References: <200505021955.37878.johannes.nicolai@hpi.uni-potsdam.de> Message-ID: <20050502214621.GB22827@citi.citi.umich.edu> On Mon, May 02, 2005 at 07:55:37PM +0200, Johannes Nicolai wrote: > I have attached a little program to demonstrate how one can use > fcntl (the same is true for ioctl) to kill an arbitrary process that > you were also able to kill with the kill command. However, systrace > only gives me the opprtunity to deny or permit fnctl / ioctl at all > but no translations are available to decide this regarding the flags > for the system call. Perhaps (I hope so) I am wrong with this > statement and there is a way to do it. If so please tell me. If > not, please tell me how I can implement it or if a new version of > systrace will cover this feature. The systrace policy language is completely independent of any system call interface. Systrace consists of several independent layers, one of them is the system call translation layer. The translation layer translates any system call into a human readable string on which the policy language operates. So, what you are missing are translators for fcntl and ioctl. They should be trivial to implement. Niels. From provos at citi.umich.edu Sat May 7 11:13:07 2005 From: provos at citi.umich.edu (Niels Provos) Date: Sat May 7 11:13:09 2005 Subject: [Systrace] Granularity of ioctl and fcntl In-Reply-To: <200505021955.37878.johannes.nicolai@hpi.uni-potsdam.de> References: <200505021955.37878.johannes.nicolai@hpi.uni-potsdam.de> Message-ID: <20050507151307.GA22827@citi.citi.umich.edu> On Mon, May 02, 2005 at 07:55:37PM +0200, Johannes Nicolai wrote: > I have attached a little program to demonstrate how one can use > fcntl (the same is true for ioctl) to kill an arbitrary process that > you were also able to kill with the kill command. However, systrace > only gives me the opprtunity to deny or permit fnctl / ioctl at all > but no translations are available to decide this regarding the flags > for the system call. I just committed code to NetBSD's versions of systrace that translates the command names of fcntl. Took about 5 minutes to write. I attached the diff. Niels. Index: register.c =================================================================== RCS file: /cvsroot/src/bin/systrace/register.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- register.c 3 Jun 2003 04:33:44 -0000 1.9 +++ register.c 7 May 2005 15:11:02 -0000 1.10 @@ -1,4 +1,4 @@ -/* $NetBSD: register.c,v 1.9 2003/06/03 04:33:44 provos Exp $ */ +/* $NetBSD: register.c,v 1.10 2005/05/07 15:11:02 provos Exp $ */ /* $OpenBSD: register.c,v 1.11 2002/08/05 14:49:27 provos Exp $ */ /* * Copyright 2002 Niels Provos @@ -167,6 +167,8 @@ X(intercept_register_sccb("netbsd", "kill", trans_cb, NULL)); intercept_register_translation("netbsd", "kill", 0, &ic_pidname); intercept_register_translation("netbsd", "kill", 1, &ic_signame); + X(intercept_register_sccb("netbsd", "fcntl", trans_cb, NULL)); + intercept_register_translation("netbsd", "fcntl", 1, &ic_fcntlcmd); #else X(intercept_register_gencb(gen_cb, NULL)); X(intercept_register_sccb("native", "open", trans_cb, NULL)); @@ -271,6 +273,8 @@ X(intercept_register_sccb("native", "kill", trans_cb, NULL)); intercept_register_translation("native", "kill", 0, &ic_pidname); intercept_register_translation("native", "kill", 1, &ic_signame); + X(intercept_register_sccb("native", "fcntl", trans_cb, NULL)); + intercept_register_translation("native", "fcntl", 1, &ic_fcntlcmd); #endif #if !(defined(__NetBSD__) && !defined(HAVE_LINUX_FCNTL_H)) Index: systrace-translate.c =================================================================== RCS file: /cvsroot/src/bin/systrace/systrace-translate.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- systrace-translate.c 25 Mar 2003 23:15:22 -0000 1.11 +++ systrace-translate.c 7 May 2005 15:11:02 -0000 1.12 @@ -1,4 +1,4 @@ -/* $NetBSD: systrace-translate.c,v 1.11 2003/03/25 23:15:22 provos Exp $ */ +/* $NetBSD: systrace-translate.c,v 1.12 2005/05/07 15:11:02 provos Exp $ */ /* $OpenBSD: systrace-translate.c,v 1.10 2002/08/01 20:50:17 provos Exp $ */ /* * Copyright 2002 Niels Provos @@ -72,6 +72,7 @@ static int print_uname(char *, size_t, struct intercept_translate *); static int print_pidname(char *, size_t, struct intercept_translate *); static int print_signame(char *, size_t, struct intercept_translate *); +static int print_fcntlcmd(char *, size_t, struct intercept_translate *); static int get_argv(struct intercept_translate *, int, pid_t, void *); static int print_argv(char *, size_t, struct intercept_translate *); @@ -389,6 +390,50 @@ } static int +print_fcntlcmd(char *buf, size_t buflen, struct intercept_translate *tl) +{ + int cmd = (intptr_t)tl->trans_addr; + char *name; + + switch (cmd) { + case F_DUPFD: + name = "F_DUPFD"; + break; + case F_GETFD: + name = "F_GETFD"; + break; + case F_SETFD: + name = "F_SETFD"; + break; + case F_GETFL: + name = "F_GETFL"; + break; + case F_SETFL: + name = "F_SETFL"; + break; + case F_GETOWN: + name = "F_GETOWN"; + break; + case F_SETOWN: + name = "F_SETOWN"; + break; + case F_CLOSEM: + name = "F_CLOSEM"; + break; + case F_MAXFD: + name = "F_MAXFD"; + break; + default: + snprintf(buf, buflen, ": %d", cmd); + return (0); + } + + snprintf(buf, buflen, "%s", name); + return (0); +} + + +static int get_argv(struct intercept_translate *trans, int fd, pid_t pid, void *addr) { char *arg; @@ -500,3 +545,8 @@ "signame", NULL, print_signame, }; + +struct intercept_translate ic_fcntlcmd = { + "cmd", + NULL, print_fcntlcmd, +}; Index: systrace.h =================================================================== RCS file: /cvsroot/src/bin/systrace/systrace.h,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- systrace.h 1 Dec 2004 03:30:07 -0000 1.17 +++ systrace.h 7 May 2005 15:11:02 -0000 1.18 @@ -1,4 +1,4 @@ -/* $NetBSD: systrace.h,v 1.17 2004/12/01 03:30:07 provos Exp $ */ +/* $NetBSD: systrace.h,v 1.18 2005/05/07 15:11:02 provos Exp $ */ /* $OpenBSD: systrace.h,v 1.14 2002/08/05 23:27:53 provos Exp $ */ /* * Copyright 2002 Niels Provos @@ -232,6 +232,7 @@ extern struct intercept_translate ic_socktype; extern struct intercept_translate ic_pidname; extern struct intercept_translate ic_signame; +extern struct intercept_translate ic_fcntlcmd; extern struct intercept_translate ic_linux_oflags; From karim.adel at gmail.com Tue May 10 04:59:40 2005 From: karim.adel at gmail.com (Kim Onnel) Date: Tue May 10 13:29:50 2005 Subject: [Systrace] tuning systrace policy for expect Message-ID: Hi, I'm trying to generate a policy for an expect script to run Script : rpm1 -bash-3.00# cat rpm1 ./rtr3 -cisco -telnet x.x.1.1 Which calls an expect script called rtr3 as you can see: -bash-3.00# more rtr3 #!/usr/local/bin/expect -- # # # Connect to a Cisco/Juniper/Unix router and execute one or multiple commands # # Syntax: rtr3 [] [ [: ] ]" # # $Log: rtr3,v $ # Revision 2.3 2004/12/01 15:55:28 markus # Remove debug code. # # Revision 2.2 2004/12/01 15:36:22 markus # Implemented command line flags to overwrite default settings. # (-username -password -enable_password) # # Revision 2.1 2004/08/16 10:52:12 markus # Module logon_cisco, modified error messagen # # Revision 2.0 2004/06/20 19:00:20 markus # Added support for Juniper routers # Added support for SSH transport # Restructured execute_command_* # Restructured logon_* # # Revision 1.6 2004/03/08 14:46:46 markus # Fix execute_command in branch ZEBRA # # Revision 1.5 2003/11/28 12:36:36 markus # Separated execute_command logic to distinguish between CISCO, ZEBRA, and UNIX. # # Revision 1.4 2003/11/28 10:28:23 markus # The script now properly handles Cisco routers that go into priviledged mode # without an explicit enable command. # The script not prints a timestamp upon invocation. # Output from "spawn telnet" and the logon procedure is now suppressed. # In non-interactive mode the command output is surrounded by begin and end markers. # The script uses now expect "#$" when waiting for command output. This fixes a bug # where lengthy output was truncated. The rtr3 script needs a .rtr3 file which is located in users home directory ~/.rtr3 and i have it in place, I've tried to auto generate with systrace -A and tune according to errors, and this is what i have : -bash-3.00# more home_test_rtr3 Policy: /home/test/rtr3, Emulation: native native-connect: sockaddr match "inet-*:23" then permit native-fsread: filename eq "/home" permit native-fsread: filename eq "/tmp" then permit native-fsread: filename eq "/usr" then permit native-fsread: filename eq "/var" then permit native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit native-umask: permit native-write: permit native-mmap: permit native-mprotect: permit native-exit: permit native-write: permit native-writev: permit native-issetugid: permit native-mprotect: permit native-mmap: permit native-__sysctl: permit native-fsread: filename eq "/var/run/ld.so.hints" then permit native-fstat: permit native-close: permit native-fsread: filename eq "/usr/lib/libc.so.34.1" then permit native-read: permit native-mquery: permit native-fsread: filename eq "/usr/local/lib/libtcl84.so.1.0" then permit native-fsread: filename eq "/usr/lib/libutil.so.11.0" then permit native-fsread: filename eq "/usr/lib/libm.so.2.0" then permit native-munmap: permit native-sigprocmask: permit native-fsread: filename eq "/etc/malloc.conf" then permit native-break: permit native-lseek: permit native-sigaction: permit native-fsread: filename eq "/home/test/." then permit native-chdir: filename eq "/usr/local/lib/tcl8.4" then permit native-fsread: filename eq "/usr/local/lib/tcl8.4/encoding" then permit native-chdir: filename eq "/usr/local/lib/tcl8.4/encoding" then permit native-fsread: filename eq "/" then permit native-fsread: filename eq "/usr/local/lib/tcl8.4/encoding/." then permit native-fsread: filename eq "/usr/local/lib/tcl8.4" then permit native-fcntl: permit native-fstatfs: permit native-getdirentries: permit native-fsread: filename eq "/usr/local/lib" then permit native-fsread: filename eq "/usr/local" then permit native-fsread: filename eq "/usr" then permit native-fchdir: permit native-fsread: filename eq "/usr/local/lib/tcl8.4/encoding/iso8859-1.enc" then permit native-ioctl: permit native-chdir: filename eq "/usr/local/lib" then permit native-fsread: filename eq "/usr/local/lib/tcl8.4/." then permit native-fsread: filename eq "/usr/local/lib/tcl8.4/init.tcl" then permit native-getpid: permit native-fswrite: filename eq "/dev/tty" then permit native-fsread: filename eq "/usr/local/lib/expect5.43/expect.rc" then permit native-fsread: filename eq "/home/test/.expect.rc" then permit native-chdir: filename eq "/home" then permit native-fsread: filename eq "/home/test" then permit native-chdir: filename eq "/home/test" then permit native-fsread: filename eq "/home" then permit native-fsread: filename eq "/home/test/rtr3" then permit native-write: permit native-fsread: filename eq "/home/test/.rtr3" then permit native-pipe: permit native-gettimeofday: permit native-fsread: filename eq "/tmp" then permit native-fswrite: filename eq "/tmp/tclt24674" then permit native-fork: permit native-dup2: permit native-execve: filename eq "/: /home/test/bin/date" and argv eq "date" then permit native-execve: filename eq "/bin/date" and argv eq "date" then permit native-getsockname: permit native-wait4: permit native-fswrite: filename eq "/dev/ptm" then permit native-fsread: filename eq "/var/run/dev.db" then permit native-pread: permit native-setsid: permit native-fswrite: filename eq "/dev/ttyp2" then permit native-vfork: permit native-execve: filename eq "/bin/sh" and argv eq "sh -c /bin/stty sane < /dev/ttyp2" then permit native-execve: filename eq "/bin/sh" and argv eq "/bin/sh -c exec telnet 172.31.1.1" then permit native-select: permit native-fsread: filename eq "/dev/null" then permit native-nanosleep: permit native-exit: permit But that doesnt work and the error i get on console is: -bash-3.00# May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-issetugid(253), args: 0 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-mprotect(74), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-mmap(197), args: 32 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-write(4), args: 12 May 10 11:49:05 bastion2 systrace: deny user: test, prog: /home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3, filters: 0, syscall: native-exit(1), args: 4 Can anyone help me modify my policy ? From ray at cyth.net Tue May 10 11:25:51 2005 From: ray at cyth.net (Ray) Date: Tue May 10 13:29:50 2005 Subject: [Systrace] Re: tuning systrace policy for expect In-Reply-To: References: Message-ID: <20050510152551.GA7316@syntax.cyth.net> On Tue, May 10, 2005 at 10:59:40AM +0200, Kim Onnel wrote: > I've tried to auto generate with systrace -A and tune according to > errors, and this is what i have : Can you attach the systrace policy instead of pasting it? The line wrapping's messed up. -- I've found that people who are great at something are not so much convinced of their own greatness as mystified at why everyone else seems so incompetent. Paul Graham From karim.adel at gmail.com Wed May 11 04:58:47 2005 From: karim.adel at gmail.com (Kim Onnel) Date: Thu May 12 12:44:17 2005 Subject: [Systrace] Re: tuning systrace policy for expect In-Reply-To: <20050510152551.GA7316@syntax.cyth.net> References: <20050510152551.GA7316@syntax.cyth.net> Message-ID: Ok, its at http://82.129.235.194/systrace_expect.txt On 5/10/05, Ray wrote: > On Tue, May 10, 2005 at 10:59:40AM +0200, Kim Onnel wrote: > > I've tried to auto generate with systrace -A and tune according to > > errors, and this is what i have : > > Can you attach the systrace policy instead of pasting it? The line > wrapping's messed up. > > -- > I've found that people who are great at something are not so much > convinced of their own greatness as mystified at why everyone else > seems so incompetent. > Paul Graham > From ray at cyth.net Wed May 11 09:38:50 2005 From: ray at cyth.net (Ray) Date: Thu May 12 12:44:19 2005 Subject: [Systrace] Re: tuning systrace policy for expect In-Reply-To: References: <20050510152551.GA7316@syntax.cyth.net> Message-ID: <20050511133850.GA3254@syntax.cyth.net> On Wed, May 11, 2005 at 10:58:47AM +0200, Kim Onnel wrote: > On 5/10/05, Ray wrote: > > On Tue, May 10, 2005 at 10:59:40AM +0200, Kim Onnel wrote: > > > I've tried to auto generate with systrace -A and tune according to > > > errors, and this is what i have : > > > > Can you attach the systrace policy instead of pasting it? The line > > wrapping's messed up. > > Ok, its at http://82.129.235.194/systrace_expect.txt I meant the policy itself, not the deny logs. -- I've found that people who are great at something are not so much convinced of their own greatness as mystified at why everyone else seems so incompetent. Paul Graham From ray at cyth.net Wed May 11 11:47:51 2005 From: ray at cyth.net (Ray) Date: Thu May 12 12:44:20 2005 Subject: [Systrace] tuning systrace policy for expect In-Reply-To: References: Message-ID: <20050511154751.GB31873@syntax.cyth.net> On Tue, May 10, 2005 at 10:59:40AM +0200, Kim Onnel wrote: > native-fsread: filename eq "/home" permit This line should be: native-fsread: filename eq "/home" then permit Because this line failed, all lines below that are ignored, causing systrace to deny system calls such as issetugid, which was permitted below the line at fault. -- I've found that people who are great at something are not so much convinced of their own greatness as mystified at why everyone else seems so incompetent. Paul Graham From johnw.mail at gmail.com Thu May 12 11:33:51 2005 From: johnw.mail at gmail.com (John Wong) Date: Thu May 12 12:44:20 2005 Subject: [Systrace] systrace + sudo problem Message-ID: i use OpenBSD, i have not sudo systrace policy(usr_bin_sudo), but why i can still use sudo with systrace?? rm -rf ~/.systrace ls /etc/systrace (nothing in /etc/systrace) . .. when i type "systrace -Ua sudo su" or "systrace -a sudo su", Password: (type password here) i am root now... but other program have not this problem, only "sudo" with bypass From ray at cyth.net Thu May 12 14:11:11 2005 From: ray at cyth.net (Ray) Date: Sun Jun 12 13:31:23 2005 Subject: [Systrace] systrace + sudo problem In-Reply-To: References: Message-ID: <20050512181110.GA30500@syntax.cyth.net> On Thu, May 12, 2005 at 11:33:51PM +0800, John Wong wrote: > i use OpenBSD, i have not sudo systrace policy(usr_bin_sudo), > but why i can still use sudo with systrace?? sudo is setuid. -- I've found that people who are great at something are not so much convinced of their own greatness as mystified at why everyone else seems so incompetent. Paul Graham From ray at cyth.net Mon May 16 12:58:24 2005 From: ray at cyth.net (Ray) Date: Sun Jun 12 13:31:25 2005 Subject: [Systrace] tuning systrace policy for expect In-Reply-To: References: <20050511154751.GB31873@syntax.cyth.net> Message-ID: <20050516165822.GA20281@syntax.cyth.net> On Sun, May 15, 2005 at 01:29:31PM +0200, Kim Onnel wrote: > Hello Ray Hi Kim, Please reply to the mailing list instead of only to me. > I am still having a problem with tuning the systrace policy for the expect > script that will be used to let users automatically login to network > devices without entering their passwords, > > In details: > > I have a shell script 'rpm' that is calling the expect script 'rtr3', > the script 'rtr3' uses a file /~.rtr3, which has the passwords saved, > and it has to be in the users home directory since it uses each users > own password saved in the file. > > I've generated a policy for both, but i get errors, from my humble > experience with systrace, i've tried to tune the policy, permit and > so, but got no luck, > > I've listed below all the contents of the scripts, the policies i've > tried to tune and the errors i got, perms of files and locations, > please troubleshoot with me. > > $ whoami > mamin > > $ ls -alh .rtr3 > -rw-r--r-- 1 mamin mamin 298B May 15 12:18 .rtr3 > > $ ls -alh /usr/bin/rpm > -rwxr-xr-x 1 root wheel 2.0K May 11 19:12 /usr/bin/rpm > > $ ls -alh /usr/bin/rtr3 > -rwxr-xr-x 1 root wheel 23.0K May 11 19:23 /usr/bin/rtr3 > > $ ls -alh /etc/systrace/usr_bin_rpm > -rw-r--r-- 1 root wheel 1.3K May 15 12:44 /etc/systrace/usr_bin_rpm > > $ ls -alh /etc/systrace/usr_bin_rtr3 > -rw-r--r-- 1 root wheel 4.9K May 15 12:42 /etc/systrace/usr_bin_rtr3 > > $ rpm auto > /usr/bin/rpm[45]: rtr3: Operation not permitted > > $ rtr3 > ERROR: ~/.rtr3 does not exist > Default username and passwords are most likely not suitable for your network. > invalid command name "display_usage_note_and_exit" > while executing > "display_usage_note_and_exit" > invoked from within > "if [file exists ~/.rtr3] { > source ~/.rtr3 > } else { > puts "ERROR: ~/.rtr3 does not exist" > puts "Default username and passwords are most likely not suita..." > (file "/usr/bin/rtr3" line 56) > $ > > The errors: > > rpm script: > > -bash-3.00# May 15 13:24:03 bastion2 systrace: deny user: mamin, prog: > /usr/bin/rpm, pid: 14918(1)[29487], policy: /usr/bin/rpm, filters: 40, > syscall: native-fsread(291), filename: /var/mail/mamin Whenever you see denies like these you can easily translate them into permit rules: native-fsread: filename eq "/var/mail/mamin" then permit > May 15 13:24:03 bastion2 systrace: deny user: mamin, > prog:/usr/bin/rpm, pid: 14918(1)[29487], policy: /usr/bin/rpm, > filters: 40,syscall: native-fsread(291), filename: / filename>:/home/mamin/bin/rtr3 Use this to avoid logging attempts to read nonexistent filenames: native-fsread: filename sub "" then deny[enoent] > May 15 13:24:03 bastion2 systrace: deny user: mamin, prog: > /usr/bin/rpm, pid: 20755(1)[14918], policy: /usr/bin/rpm, filters: 40, > syscall: native-execve(59), filename: /usr/bin/rtr3, argv: rtr3 ?cisco > -telnet 172.31.1.41 [...] > if [ $1 == "adsl" ] > then > rtr3 -cisco -telnet 172.31.1.95 > fi > > if [ $1 == "adsl2" ] > then > rtr3 -cisco -telnet 172.31.1.96 > fi Use this line to connect to any host 172.31.1.96: native-execve: filename eq "/usr/bin/rtr3" and argv match "rtr3 -cisco -telnet 172.31.1.*" then permit > native-fsread: filename eq "~/.expect.rc" then permit > native-fsread: filename eq "~/expect.rc" then permit > native-fsread: filename eq "~/.rtr3" then permit > native-fsread: filename eq "~/.systrace/." then permit I don't think tilde-expansion works in systrace, though I've never tried it. > native-fswrite: filename eq "/tmp/tclt24674" then permit Rules like these you want to change to something like this: native-fswrite: filename match "/tmp/tcl*" then permit -- I've found that people who are great at something are not so much convinced of their own greatness as mystified at why everyone else seems so incompetent. Paul Graham