stripping secure servers (was Re: releases and stuff)

Bennett Todd bet at rahul.net
Mon Nov 15 04:46:48 PST 2004


2004-11-15T12:03:35 Robert Connolly:
> I'm having trouble understanding how important it is to not have a
> compiler on the system.

I've seen both sides of this issue.

One viewpoint, which I've often espoused, is that the first line of
defense is the perimeter --- network listening daemons, for a
hardened server --- and hardening against local exploits is only
useful for shell servers with untrusted users, a very hard problem
indeed; and that local hardening need only focus on suid executables
and priviledge escalation paths (although the recently announced
Linux ELF loader bugs are kinda scary that way).

Another, which Marcus Ranum has advocated for years, has recently
begun to appeal to me, mostly since I've noticed that Bent
Linux makes it easy:-). This is to design completely hardened
purpose-built servers that do absolutely nothing at all but offer
their service, design them so that every file is accounted for,
and no file is present that's not actually required to deliver the
desired service. For some services, even /bin/sh is not necessary.

Software packaging can make such purpose-built servers easier to set
up; and BusyBox is a nice and handy scaffolding that's easy to put
into place for the setup and config stage, then remove once the
server is chugging along merrily leaving only the actual daemon[s]
that offer service.

The final door-closing involves removing busybox, and placing a
small executable in /sbin/init that forks and execs a few
invocations of the likes of ifconfig, and finishes by execing the
daemon that offers public service.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20041115/4706444a/attachment.sig>


More information about the hlfs-dev mailing list