The traditional Linux security model starts with file permissions. The model lets the kernel decide whether or not a process may access a resource based on permissions set as part of the filesystem. The coarse-grained granularity of this model often causes Linux processes to have too many rights. If more granularity is needed, one has to resort to adding security related code into the program source.
This series of articles is about Linux namespaces, a lightweight virtualization technology implemented in Linux kernel. In part 1 I’ve talked about building chroot jails using mount namespace, and in part 2 I’ve looked into isolating processes using PID namespace. The next step is to isolate the TCP/IP networking stack using network namespaces.
Security at this level is always reactive. Assuming the bad guy breaks into your server, he will realize he doesn’t have root privileges (classic Unix privilege separation implemented in server software), he runs on top of a fake filesystem (chroot), and he cannot get outside on the network. The later is usually done by placing the computer in a Demilitarized Zone (DMZ) behind a firewall.
The same effect can be achieved on the cheap using Linux namespaces. For this, I place the server in a container (vm1) running its own network segment (10.10.20.0/24). The container is connected to the host through a Linux bridge interface (br0). On the host I configure iptables firewall, isolating the server and effectively limiting the potential damage that could be inflicted on the larger network. The final setup looks like this:
Linux ptrace() system call provides a means by which one process may observe and control the execution of another process. It is primarily used to implement breakpoint debugging with gdb and system call tracing with strace. In this article I will look at the security implications of ptrace, and how to overcome them using Linux PID namespaces.
Public enemy numero uno
This is an experiment every Linux enthusiast should try. Start an ssh connection in a terminal and stop when you are just about to enter the password:
Starting an ssh session
Open another terminal, find the pid of your ssh session (ps ax | grep ssh) and start strace on it (strace -p 3660). Then, go back to your ssh terminal, type in your password, and watch it flying across strace terminal:
ptrace usage example
Namespace isolation is the simplest virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. This feature is mostly popularized and promoted by utilities such as LXC (Linux Containers), Docker and virtenv.
Three syscalls are used to create Linux namespaces, unshare(), clone() and setns(). In this article I will take a look at unshare() and show how to use it directly in your scripts and programs without going through LXC or any other higher level virtualization tool.
I’ll start by investigating unshare command available in util-linux package, and from there I’ll move to the system call. In the end I’ll build a small C program that isolates a web browser such as Mozilla Firefox into a kernel namespace.
Hundreds of new open source software projects are published on Internet each day. The vast majority are built by private individuals in their spare time, or at least this is how the projects are starting. The usefulness of these projects is secondary in nature, most of the time the goal is learning and personal development, or how somebody else put it, scratching one developer’s personal itch.
This blog post is about how to package and publish an open-source project. I have this source code just sitting there on my hard drive, I wrote it some time ago, other people might find it interesting. Let’s start with the itch.
Many people are very surprised when they find out telnet protocol requires more than a TCP socket connection between a client and a server. There are two tty terminals involved, one on the server side, and one on the client side. These terminals are synchronized by special messages sent over the socket connection, mangled with the session data.
To figure it out, I can start by reading a long list of RFCs, or I can take a shortcut and try to lift it from a wireshark trace:
Recent versions of Linux glibc (2.x) include a a malloc() implementation tunable using environment variables. This allows the user to diagnose allocation problems such as heap corruption, double free etc.
When MALLOC_CHECK_ is set to 3, a diagnostic message is printed on stderr and the program is aborted. A value of 0 disables the diagnostic – see man malloc for more details.
Setting the MALLOC_PERTURB_ environment variable causes the malloc functions in libc to return memory which has been wiped and initialized with the byte value of the environment variable. Setting MALLOC_PERTURB_ to zero disables the feature.
No special arguments need to be passed during program compilation. These diagnostics work on any precompiled programs. Unlike valgrind, the speed of execution is not affected.
$ export MALLOC_CHECK_=3
$ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
SendEmail is a lightweight command line SMTP agent. It was designed to be easily integrated in bash scripts, Perl programs etc. The program is in fact a Perl script, and it is distributed under GPL license. This is how you can send emails from command line using SendEmail and a regular gmail or yahoo account.
ezchroot is a small script to chroot into OpenVZ containers. Once inside, you can update or modify the container software. The operation is similar to ezlxc.
if [ $# -gt 0 ]; then
echo "Usage: ezchroot directory"
cp -L /etc/resolv.conf $1/etc/.
mount -t proc none $1/proc
mount --rbind /dev $1/dev
mount --rbind /sys $1/sys
echo "entering chroot directory"
env NAME=chroot chroot $1 /bin/bash
echo "chroot exited"
This is a simple telnet client written in C. In the negotiation phase of the connection it will respond with WONT to any DO coming from the server, and it will encourage the server to DO anything it offers with WILL. The only exception is the screen size setting, advertised as 24 x 80 by the client.
if [ expression ]
elif [ expression2 ]