Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)

[Valdis . Kletnieks]

On Sun, 10 Jan 2010 22:58:48 +0100, Pavel Machek said:

> Scenario 2:
> 
> Mallory calls disablenetwork, calls sendmail as the first user after
> boot; sendmail can't deliver anything (its network is disabled), but
> starts forking and taking requests for other users, DoSing the mail
> delivery.

You need to be root to start sendmail as a daemon.  If Mallory is getting
a root shell before your /etc/rc.d scripts have started sendmail, you
have bigger problems.

> Scenario 3:
> 
> Mallory calls disablenetwork, then keeps hammering on su, knowing that
> su can no longer send data to audit subsystem and so he will not get caught.

I assume you mean syslog, not audit.  And it still won't work.

% strace /usr/bin/logger test message
...
socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 1
connect(1, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
sendto(1, "<13>Jan 11 21:49:25 logger: test"..., 40, MSG_NOSIGNAL, NULL, 0) = 40
close(1)                                = 0

su's complaint will get written to /dev/log which isn't interfered with
by the disablenetwork patch - and then syslogd will forward over the net
if configured to do so.

Attachment: pgp00000.pgp
Description: PGP signature