users, "private" groups, and The Unix Way (was, Re: Is it me or is it sudo?)
Bryn M. Reeves
bmr at redhat.com
Tue Apr 3 08:47:35 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/03/2012 08:10 AM, Joel Rees wrote:
> On Tue, Apr 3, 2012 at 3:27 PM, Tim <ignored_mailbox at yahoo.com.au>
> wrote: s/some/a lot of/
>
> if you set it up right.
It can still do a fair amount of nasty stuff.
> "xhost local:<subuser-id>; sudo -u <subuser-id>" does pretty well
> with current applications.
You're allowing the local sandbox user to connect to the local X
server so any process running in one of your sandboxes can start a
connection to X and start looking for vulnerabilities to exploit.
Due to the elevated privilege with which X runs this could include
privilege escalations. There have been vulnerabilities of this kind in
the past that allowed an attacker to quickly gain a root shell given
the ability to connect to the X server.
> Now, if I'm going to my bank site, I do log out and log in as a
> different user, just to be extra safe.
I think you'd be better off taking a look at Daniel Walsh's blog posts
on confining X applications with the SELinux sandbox. The first post
introduces and explains the general sandbox concept:
http://danwalsh.livejournal.com/28545.html
And the follow up looks at extending this to untrusted X applications
using a temporary xguest account (with dynamic $HOME and $TMP) and the
Xephyr X-on-X server to provide much stronger separation between the
sandbox and the rest of the system:
http://danwalsh.livejournal.com/31146.html
Fedora already provides contexts to use with the sandbox such as
sandbox_x_t, sandbox_web_t, sandbox_net_t etc. depending on the
particular resources you want to allow the sandbox to access.
The post discusses future improvements to simplify retrieving files
from the sandbox when the application exits but I'm not sure of the
current status of that work.
Regards,
Bryn.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk96uScACgkQ6YSQoMYUY968AwCgnyewwjMMaCbla1i4hqiirUbI
gTgAn1m5CX/RoAY6h5cUOdd1VXfO0FcR
=6j1O
-----END PGP SIGNATURE-----
More information about the users
mailing list