leaving setfcap in docker containers
by Matthew Miller
Quick backstory: unless run in privledged mode, Docker drops a bunch of
capabilities when launching a container. One of these is setfcap. This
breaks of binary RPMs like httpd where the daemon is installed with file
capabilities instead.
We're considering removing setfcap from the list of dropped capabilities. It
seems safe to me (note that you run as root inside the container), but I'd
like some security-minded review. Could this be used for evil?
https://bugzilla.redhat.com/show_bug.cgi?id=1012952
Thanks!
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>
9 years, 8 months
Re: F19 Firewall
by Lance Lassetter
Firewalld is just not workable enough for me. For instance I need to have quirky netfilter rules to make my squid proxy setup to work properly. There is no easy way to do this with firewalld. Also I set up an iptables queue so that netfilter supports suricata ips mode. This also, no easy way...
Netfilter is just so diverse and firewalld seems to strip a lot of that diversity away.
What about the idea that people who want to write their own iptables custom scripts that can be, after wiriting the script and implementening it, a smart way for the script to be imported...the whole script, into firewalld. Last I tried, my nat rules weren't compatible with firewalld. Like maybe a simpe iptables-save then a firewalld-save or the like. Then maybe ask if to import it into firewalld's 'home', 'work', 'public', etc.
Lance
Kurt Seifried <kseifried(a)redhat.com> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Some random thoughts:
>
>1) it would be nice to have capabilities like "do you want to let
>program X talk to the internet/receive connections" for client
>software with a GUI notification (like basically all the windows
>client/Mac OS X client firewall stuff). I would say this is probably
>the biggest capability needed for normal end users.
>
>2) Tying firewall into networking detection, e.g. windows "is this
>your home/business/public network" and then remembering it (I assume
>IP/Mac address of default gateway would be a reasonably good way to
>identify networks).
>
>3) Make it easy to modify policy, e.g. in section 1) if you choose to
>block/deny something and realize that was the wrong decision how do
>you go in an modify it? In Windows this is a PITA for normal users.
>
>Overall I'm not really sure firewalld solves much, anyone running a
>server will probably be able to tweak iptables to allow incoming
>services they want. So do we aim it at the end user/workstation style
>usage primarily (especially ones that move around networks)?
>
>- --
>Kurt Seifried Red Hat Security Response Team (SRT)
>PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.14 (GNU/Linux)
>
>iQIcBAEBAgAGBQJSQdXYAAoJEBYNRVNeJnmTC6wQAIW3HNlAqfSkMSZqbFG6kbj/
>GOlnzjJOrUzt/LWwOGPCTmg/GgSOHrT4t1gT1577sL2LM5wPGCF/oll84RehiZd8
>PXNiyq3QnsOJFLjmEbm1YfGpDGae5+uR4IR3Bm1MVHBjvquhlqaje0b1yI2gs8Do
>LY9sXeGmYh+YjKIUDJrOCCS/I/xE8Zl4D+aU/s1BumV9LxwsOURTzXv5x32C8zwS
>5MH5rvX9LO5vJn0VMByRsoXrCSybyLnRmsDvAH9yYx+WjforKsU4wq2QVLYDtjU/
>0TO/n7qP1WO7doixYLymxwm+Fnk8J7HGa2t/2of2ZvX2AB3eRLmzj+tKzKohZR4H
>jxCLImHLx/puPr6VA/4ENSrHltCCbTSDvlZGxTHAeHwszmQzYMXZ8Qv/leRf4ThO
>E3wvuoIpgUWSEbE8RjVmXjX/Cd1GYz6ns35ydy2kZgHr4AfQifF+hdWHPP63/hrJ
>C21iZylvIMJKF2cWOXwR4X+Zr9tDthf+UDeEE3J/uQAfj3LDvjdHXqd0xcgOSrae
>nP0hPHj0apZrzY0zJfcn3JNipRDDl3qNgs8Q8tFAut5WvubCdLlVFXvLWMs6mOA2
>6TmN4ZzEh0zfeGLq+LZ1kAY0ZsIds9ziyKsxAPGlTQz3Ax9rjb40BOwClHc4wbOF
>6DzOg7WN87fRSO/wCTy3
>=dDnL
>-----END PGP SIGNATURE-----
>--
>security mailing list
>security(a)lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/security
9 years, 8 months
Emergency destruction of LUKS partition
by Eric Christensen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Someone asked me about this recently and I haven't had a chance to fully wrap my head around the solution but thought it was an interesting scenario.
Background:
Someone knows you have encrypted your computer using LUKS. They convince you to enter (or otherwise provide) your passphrase via the large wrench method[0].
Realcrypt method:
There is plausible deniability (if properly implemented) whereas you could provide the person with the alternate passphrase which would give them access to a portion of the encrypted partition but not your real working partition.
LUKS:
There is no way to provide plausible deniability.
Proposed solution:
LUKS provides four key slots to use for decrypting a partition. How about have one key slot that when used immediately implements a deletion of the encrypted partition (or at least the key record).
Thoughts?
[0] http://www.xkcd.org/538/
- -- Eric
- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project
sparks(a)fedoraproject.org - sparks(a)redhat.com
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQGcBAEBCgAGBQJSSaw6AAoJEB/kgVGp2CYvDTAL/jeuWo8r39Apq7QA6hQKmDI9
Oe+GB5SRk99ecqmBKcapC6nGewfVajoeuNo27AG9CfmQ97ZSk6Oabvt8OibgXXc5
S64me8zy+Rqx2uu8i271P8DGbf3IFENMMtCdkPCfJWNU5ZAepGwBXCQXRJwC09jn
MWeQ9kDFmvHZE4a8bO/G6ZPkXI+Vm7BxJYsGq6f5SVcAnqWdKWSUiZPfEcAIGPzx
AFDmiR8wQpQ2e3PiHEstLYK9DHr6ALIqZxbdwwlLM/vOi7N2Xk3PobIby3KREU4b
yCh5lkp2oZKkWhGY2AYgFwm1uo7/jWSDFArcJDTtr9amU1mihrpmRPBxAzcplSFK
oj9LJeYXXnpGFRHNyr68Zp8Dp5ckhDgUVMV1m8MCgVgmyn7cIexIvib4kng/c/aE
Wo/32VXw8T/++Gszlv4AjLKjMlD4PEVWSO9saJLeQIlwEQFZYulpVkRa/6RKesYZ
NbuMocam5uk2z0BeXCXjD5A1nvh7YHnhuCjv4HizqQ==
=Tdc5
-----END PGP SIGNATURE-----
9 years, 8 months
Re: F19 Firewall
by Lance Lassetter
I can surely wait as long as iptables is an available option (init scrips, iptables-save, etc)
:-)
Lance
Jiri Popelka <jpopelka(a)redhat.com> wrote:
>On 09/27/2013 03:04 PM, Lance Lassetter wrote:
>> with firewalld can i import this rule:
>>
>> /sbin/iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE
>>
>> and these rules:
>>
>> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner squid -j ACCEPT
>> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129
>> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
>> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT
>> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3129
>>
>> hence, Netfilter rules by user/group and using NFQUEUE target.
>>
>> because if firewalld alllows stuff like this, then problem solved. last checked, it does not.
>
>Should be possible with permanent direct rules.
>I'd point you to firewalld.direct(5), but I've just noticed we actually
>forgot to ship it :-(
>
>So just create /etc/firewalld/direct.xml with something like:
><?xml version="1.0" encoding="utf-8"?>
><direct>
> [ <rule ipv="ipv4" table="filter" chain="FORWARD_direct"
>priority="0"> -m mark ! --mark 1/1 -j NFQUEUE </rule> ]
> [ <rule ipv="ipv4" table="nat" chain="PREROUTING_direct"
>priority="0"> -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129 </rule> ]
> [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct"
>priority="0"> -p tcp --dport 80 -m owner --gid-owner squid -j ACCEPT
></rule> ]
> [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct"
>priority="1"> -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
></rule> ]
> [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct"
>priority="2"> -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT
></rule> ]
> [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct"
>priority="3"> -p tcp --dport 80 -j REDIRECT --to-ports 3129 </rule> ]
></direct>
>
>The X_direct chains are created by firewalld and jumped into before
>all the other chains (for zones etc.).
>
>> and, once again why not something simple like if 'execute some iptables script' , then 'iptables-save' , then 'firewalld-save' or even skip the middle step!
>
>I'm CCing Thomas who has already tried to write something similar, but
>it's not that simple according to his words.
>
>--
>Jiri
9 years, 8 months
F19 Firewall
by P J P
Hello,
A long thread about firewall & Firewalld application+daemon is running on fedora-devel list.
About F19 Firewall -> https://lists.fedoraproject.org/pipermail/devel/2013-September/189272.html
The
upstream authors are in the process of rewriting Firewalld in C (from
Python). The current discussion is oscillating between
features+complexity and usability+security that firewall has to offer.
I
thought may be folks here could offer valuable suggestions to authors
while they are re-writing the application; So that it ends-up being
usable & secure, instead of bloated and swollen.
Thank you.
---
Regards
-Prasad
http://feedmug.com
9 years, 8 months
F19 Firewall
by P J P
Hello,
A long thread about firewall & Firewalld application+daemon is running on fedora-devel list.
About F19 Firewall -> https://lists.fedoraproject.org/pipermail/devel/2013-September/189272.html
The upstream authors are in the process of rewriting Firewalld in C (from Python). The current discussion is oscillating between features+complexity and usability+security that firewall has to offer.
I thought may be folks here could offer valuable suggestions to authors while they are re-writing the application; So that it ends-up being usable & secure, instead of bloated and swollen.
Thank you.
---
Regards
-Prasad
http://feedmug.com
9 years, 8 months
cracklib dicts size (and fedora password policy)
by Matthew Miller
The cracklib dicts in Fedora is 8.3M. (I'm sure some of this is my fault, as
I've added to it over the years.) The cracklib pam module supports a
compressed dictionary, but apparently it has a serious performance impact
(https://bugzilla.redhat.com/show_bug.cgi?id=1004896).
Meanwhile, in many systems today, local passwords are entirely unused.
Authentication is done via keys or by kerberos.
At the same time, we have an increased need for smaller systems. That 8MB
starts to be a meaningful fraction of a container or an ultra-small cloud
image.
I do recognize the value of protecting against dictionary-based attacks when
passwords are used. Maybe we could have a policy which requires _longer_
passwords but uses a much smaller dictionary?
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>
9 years, 8 months
New contributor Loïc Maury
by Loïc Maury
Hello,
My name is Loïc Maury, I am C/C++/Python/Haskell programmer, and
I try to contribute to Fedora Project.
I have spoken with some persons of Fedora (Infrastructure), and it seem
I can help with this project.
I have some experience with code audit/functional testing( job and
personaly),
static analysis tool, security programming.
I hope I will can help and contribute.
Thank you
Loïc Maury
9 years, 8 months
Compilation of Git Clone copy of Secure Coding Handbook
by Tristan Santore
Dear All,
I am trying to compile the docs, however I get:
make build-manualmkdir -p en-US/snippets
python scripts/split-snippets.py . \
src/*.c src/*.cpp src/*.java src/*.py
publican build --formats=html,epub,pdf --langs=en-US
Setting up en-US
Processing file tmp/en-US/xml/Common_Content/Conventions.xml ->
tmp/en-US/xml/Common_Content/Conventions.xml
Processing file tmp/en-US/xml/Common_Content/Feedback.xml ->
tmp/en-US/xml/Common_Content/Feedback.xml
Processing file tmp/en-US/xml/Common_Content/Legal_Notice.xml ->
tmp/en-US/xml/Common_Content/Legal_Notice.xml
Processing file tmp/en-US/xml_tmp/Author_Group.xml ->
tmp/en-US/xml/Author_Group.xml
Processing file tmp/en-US/xml_tmp/Book_Info.xml ->
tmp/en-US/xml/Book_Info.xml
Processing file tmp/en-US/xml_tmp/C-Allocators.xml ->
tmp/en-US/xml/C-Allocators.xml
Processing file tmp/en-US/xml_tmp/C-Language.xml ->
tmp/en-US/xml/C-Language.xml
Processing file tmp/en-US/xml_tmp/C-Libc.xml -> tmp/en-US/xml/C-Libc.xml
*WARNING: Unvalidated tag: 'informalexample'. This tag may not be
displayed correctly, may generate invalid xhtml, or may breach Section
508 Accessibility standards.
Processing file tmp/en-US/xml_tmp/C-Other.xml -> tmp/en-US/xml/C-Other.xml
Processing file tmp/en-US/xml_tmp/C.xml -> tmp/en-US/xml/C.xml
Processing file tmp/en-US/xml_tmp/CXX-Language.xml ->
tmp/en-US/xml/CXX-Language.xml
Processing file tmp/en-US/xml_tmp/CXX-Std.xml -> tmp/en-US/xml/CXX-Std.xml
Processing file tmp/en-US/xml_tmp/CXX.xml -> tmp/en-US/xml/CXX.xml
Processing file tmp/en-US/xml_tmp/Defensive_Coding.xml ->
tmp/en-US/xml/Defensive_Coding.xml
Processing file tmp/en-US/xml_tmp/Features-Authentication.xml ->
tmp/en-US/xml/Features-Authentication.xml
Processing file tmp/en-US/xml_tmp/Features-TLS.xml ->
tmp/en-US/xml/Features-TLS.xml
Processing file tmp/en-US/xml_tmp/Java-Language.xml ->
tmp/en-US/xml/Java-Language.xml
Processing file tmp/en-US/xml_tmp/Java-LowLevel.xml ->
tmp/en-US/xml/Java-LowLevel.xml
Processing file tmp/en-US/xml_tmp/Java-SecurityManager.xml ->
tmp/en-US/xml/Java-SecurityManager.xml
Processing file tmp/en-US/xml_tmp/Java.xml -> tmp/en-US/xml/Java.xml
Processing file tmp/en-US/xml_tmp/Python.xml -> tmp/en-US/xml/Python.xml
Processing file tmp/en-US/xml_tmp/Revision_History.xml ->
tmp/en-US/xml/Revision_History.xml
Processing file tmp/en-US/xml_tmp/Tasks-Cryptography.xml ->
tmp/en-US/xml/Tasks-Cryptography.xml
Processing file tmp/en-US/xml_tmp/Tasks-Descriptors.xml ->
tmp/en-US/xml/Tasks-Descriptors.xml
Processing file tmp/en-US/xml_tmp/Tasks-File_System.xml ->
tmp/en-US/xml/Tasks-File_System.xml
Processing file tmp/en-US/xml_tmp/Tasks-Library_Design.xml ->
tmp/en-US/xml/Tasks-Library_Design.xml
Processing file tmp/en-US/xml_tmp/Tasks-Locking.xml ->
tmp/en-US/xml/Tasks-Locking.xml
Processing file tmp/en-US/xml_tmp/Tasks-Processes.xml ->
tmp/en-US/xml/Tasks-Processes.xml
Processing file tmp/en-US/xml_tmp/Tasks-Serialization.xml ->
tmp/en-US/xml/Tasks-Serialization.xml
Processing file tmp/en-US/xml_tmp/Tasks-Temporary_Files.xml ->
tmp/en-US/xml/Tasks-Temporary_Files.xml
Processing file tmp/en-US/xml_tmp/Web_Applications.xml ->
tmp/en-US/xml/Web_Applications.xml
not well-formed (invalid token) at line 46, column 43, byte 2693:
Won't be escaped (DON'T DO THIS!)
<h:outputText value="#{param.name}" escape=false>
==========================================^
</code>
at /usr/lib64/perl5/vendor_perl/XML/Parser.pm line 187.
make: *** [build-manual] Error 255
Also, may I suggest that we add that the dependencies publican,
publican-fedora as requisites for compilation into the README ?
Thank you.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org
9 years, 8 months
[Secure Coding] master: Update the README file (a2df781)
by fweimer@fedoraproject.org
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit a2df781c2b364f3f8fc7cef13a820896019c8f0a
Author: Florian Weimer <fweimer(a)redhat.com>
Date: Thu Sep 19 17:07:03 2013 +0200
Update the README file
>---------------------------------------------------------------
defensive-coding/README | 26 ++++++++++----------------
1 files changed, 10 insertions(+), 16 deletions(-)
diff --git a/defensive-coding/README b/defensive-coding/README
index 934d2a2..58d0ae8 100644
--- a/defensive-coding/README
+++ b/defensive-coding/README
@@ -1,14 +1,17 @@
-TODO items
-----------
+TODO and bug tracking
+---------------------
-Suggested items for inclusion are listed here:
+The secure-coding guide has its own component in Bugzilla:
-https://engineering.redhat.com/trac/product-security/wiki/DefensiveCodingTODO
+https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20Documentation&component=defensive-coding-guide
+
+Please file bugs and suggestions there.
Building HTML documentation
---------------------------
-Just type "make".
+Just type "make". If you do not want to build the example code, run
+"make build-manual".
When you type "make", the code examples in src/ are compiled (mainly
to check for obvious syntax errors, but also for manual testing). If
@@ -19,14 +22,5 @@ included in the manual.
Dependencies
------------
-Building the manual needs the "publican" package and the
-"publican-redhat-engservices" package available here:
-
-http://download.lab.bos.redhat.com/brewroot/packages/publican-redhat-engservices/
-
-Version 0.4 of the publican-redhat-engservices package needs publican
-3.0. This version of the package:
-
-http://download.lab.bos.redhat.com/brewroot/packages/publican-redhat-engservices/0.3/2.el6eng/noarch/publican-redhat-engservices-0.3-2.el6eng.noarch.rpm
-
-is known to work with publican 2.8 available in Fedora 17.
+Building the manual needs the "publican" and the "publican-fedora"
+packages.
9 years, 8 months
