[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [hobbit] Issues with hobbitd loading
- To: hobbit (at) hswn.dk
- Subject: Re: [hobbit] Issues with hobbitd loading
- From: "Don Munyak" <don.munyak (at) gmail.com>
- Date: Tue, 10 Apr 2007 09:28:56 -0400
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=P1+BDs3uL8B1DmarW678InPYlUxN7JzsEnFAqVgX+LlTP+/B5Gm5L4fGCdzUA5Ov7w2Q+d+4f4hiA7GvWKGC9g+5zirNBBKeYFGYIlWyNMIIV7SMx9kDRJAEmDL6N4G6IkyMyDphPlUla8m3hCZTtrGRrH+f1OjvoeahdI5OzMA=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=G5AEjHOC1oOcFNT/nS7I6yH/fcbVorK/1d5mQQ94qOpxWWeqKcoXimOaQYcsn1PKl3OLHCvwuqc0nvjvl5zbJ74wooxSaOpBjLI0RPdbjhcwKdWk84DU/8ZfmrVE3MuRY7GF0KBv2IMnLeEqM3ZMyRDxG2Y8dYWEJHN7n2n5ht0=
- References: <6207f7d90704091359q4fd840ev8fa3b7a7eeccd2fb (at) mail.gmail.com> <20070409212008.GB11535 (at) hswn.dk>
Thanks Henrik...
I read the link as well as the {prev} page from said link. And then
googled the author. OT: I can't beleive the author was in 9th grade
when he wrote the article. I am completely amazed and envious
http://www.samag.com/documents/s=1151/sam0105d/0105d.htm
...anyway
I made the change to the HOST sysctl.conf.
security.jail.sysvipc_allowed=1
Current sysctl.conf for HOST system
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
security.bsd.see_other_uids=0
# net.inet.tcp.blackhole=2
# net.inet.udp.blackhole=1
net.inet.ip.check_interface=1
net.inet.tcp.recvspace=32768
net.inet.tcp.sendspace=32768
net.inet.tcp.syncookies=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
net.inet.icmp.icmplim=200
security.jail.sysvipc_allowed=1
security.jail.allow_raw_sockets=1
kern.ipc.shmmax=536870912
%sysctl -A -d |grep jail {listing human readable desc}
security.jail.set_hostname_allowed:Processes in jail can set their hostnames
security.jail.socket_unixiproute_only:Processes in jail are limited to
creating UNIX/IPv4/route sockets only
security.jail.sysvipc_allowed:Processes in jail can use System V IPC primitives
security.jail.enforce_statfs:Processes in jail cannot see all mounted
file systems
security.jail.allow_raw_sockets:Prison root can create raw sockets
security.jail.chflags_allowed:Processes in jail can alter system file flags
security.jail.list:List of active jails
security.jail.jailed:Process in jail?
%sysctl -A | grep jail
security.jail.set_hostname_allowed:1
security.jail.socket_unixiproute_only:1
security.jail.sysvipc_allowed:1
security.jail.enforce_statfs:2
security.jail.allow_raw_sockets:1
security.jail.chflags_allowed:0
security.jail.list:Format:S Length:2584
Dump:0x01000000020000002f7573722f6a6169...
security.jail.jailed:0
----
hobbitd now loads and website appears functional. I haven't yet
configured any host systems.
----
Aside from the obvious "Processes in jail can use System V IPC
primitives", what does this mean in terms of security.
I understand that should a jail get hacked, the hacker can use system
V IPC primitives. How and to what extent?
Thanks so much for your help
Don