Transcript New Security Features in FreeBSD 4.0

Security Features in FreeBSD 4.0
M. Warner Losh
Timing Solutions, Inc.
FreeBSD Security Officer
[email protected]
http://www.freebsd.org/~imp/japan-00.ppt
June 9-10, 2000
JUS/K*BUG Seminars
V-1
Road Map to Talk
 Introduction
 New technical features
 New organizational features
 A closer look at jail(8)
 Q&A
V-2
New Technical Features
 Jail(8) and chroot(2) enhancements
 OpenSSL and OpenSSH
 Many vulnerabilities from “ports” corrected
 IPv6 and IPSec added
 Secure telnet using SRA
 New resource limits created
 Bug fixes: many DoS issues corrected
 ipfilter and ipfw improvements
V-3
New Organizational Details
 Total system approach to security
 Mr. Kris Kennaway is now coordinates
“ports” related security issues
 Security advisories now issued for “ports”
 FreeBSD system administrators members of
security-officer ML
 FreeBSD Auditing project
 Security awareness activism
V-4
A Closer Look at Jail(8)
 Historical perspective
 What is wrong with chroot?
 What it adds over chroot(8)
 How does jail(8) fix those problems?
 A quick example
 Where to find more information about jail(8)
V-5
Historical Efforts
 Chroot jails were constructed to help firewall
systems.
 Chroot was also used to segregate users
from each other on highly secure machines
 Chroot environments were used to allow
multiple versions of software to run on the
same machine unchanged
V-6
Problems with chroot(8)
 Can obtain or keep references outside of the
chroot tree
 Superuser still can do everything, including
accessing the raw disk and mounting
filesystems
 Current directory doesn’t change, so it is
easy to accidentally contaminate a chroot
jail’s environment
 Hard to make secure against root
V-7
How is jail(2) Different than chroot(2)?
 Chroot(2) only changes the root directory
 Jail(2) does everything that chroot(2) does, as
well as:
 Changes directories to the root of the jail
 Dilutes superuser abilities while in jail
 Adds an IP address for use only by the jail
 Restricts what jailed processes can see
outside of the jail.
 Jailed processes flagged as being in jail
V-8
A quick example -- Setting up the tree
D=/here/is/the/jail
cd /usr/src
make hierarchy DESTDIR=$D
make obj
make depend
make all
make install DESTDIR=$D
cd etc
make distribution DESTDIR=$D NO_MAKEDEV=yes
cd $D/dev
sh MAKEDEV jail
cd $D
ln -sf dev/null kernel
V-9
An Example -- Configuration

Limit network services that listen on all ports: nfs, portmapper,
inetd, sendmail, bind, etc

copy /stand/sysinstall to $D/stand/sysinstall

start jail:
jail $D my-jail-name 10.0.0.1 /bin/sh
V-10

run /stand/sysinstall in jail to configure machine

setup timezone, add accounts, disable network interfaces, etc

exit jail
A quick example -- starting the jail

Add alias to network interface

mount procfs in the jail’s /proc directory

start jail:
jail $D my-jail-name 10.0.0.1 /bin/sh /etc/rc &
V-11

Let the jail do is thing.

To make this permanent, you’ll need to write a rc.d script to
accomplish this on startup.
Problems with jail(8)
 Not a complete virtual machine
 Large overhead in chroot trees
 No management facilities for jailed processes
 Can be hard to setup
 NFS can get confused in jailed systems
V-12
Where can I find more about jail(8)?
 Man pages: jail(2), jail(8)
 /usr/share/doc/papers/jail.ps
 http://people.freebsd.org/~imp/jail.html
V-13
Questions and Answers
 42
Warner Losh
Timing Solutions, Inc.
FreeBSD Security Officer
[email protected]
V-14