[prev in list] [next in list] [prev in thread] [next in thread]
List: stackguard
Subject: [Immunix-announce] Re: Immunix Secured OS 7.3, 7+ rsync update
From: Crispin Cowan <crispin () immunix ! com>
Date: 2003-12-07 8:33:28
[Download RAW message or body]
Immunix Security Team wrote:
>-----------------------------------------------------------------------
> Immunix Secured OS Security Advisory
>
>Packages updated: rsync
>Affected products: Immunix OS 7.3, 7+
>Bugs fixed: CAN-2003-0962
>Date: Fri Dec 5 2003
>Advisory ID: IMNX-2003-73-001-01
>Author: Seth Arnold <sarnold@immunix.com>
>-----------------------------------------------------------------------
>
>Description:
> The rsync team has alerted us to a remotely exploitable heap overflow
> that is being actively exploited. As the overflow is on the heap,
> StackGuard offers no protection to this vulnerability.
>
rsync can also be confined with SubDomain, so that even if it is
compromised by an attacker, the attacker does not gain rampant privilege
on your server. However, the whole purpose of provisioning rsync is to
allow users to read and write files on your server, and so such a
profile would require local customization. Therefore, Immunix OS does
not come with an rsync profile enabled by default.
However, for your convenience, we provide here an rsync profile template
that you can adapt to your needs. To use it, do the following:
1. Place the file in /etc/subdomain.d
2. Edit the last line in the profile from
"/some/directory/tree/you/want/to/rsync/with/**" to the path to
the files you want exposed through rsync. Note that I have granted
"rwl" privileges (read, write, and link) and that you might want
to remove the w if you only mean to allow users to read your files.
3. Run "/etc/rc.d/init.d/subdomain restart" as root
Note: this profile uses "new" SubDomain syntax with regular expressions,
and so will only work on Immunix 7.3 http://www.immunix.com/shop/
Testing: I tested this profile by using rsync for my daily backup of my
laptop to my Immunix server with this rsync command:
rsync --verbose -avzc --exclude-from backup_exclude --progress
--stats --delete --ignore-errors -e /usr/bin/ssh /home/crispin
192.168.1.1:laptop_image
I ran a backup with this command and got zero SubDomain REJECT messages.
However, rsync is a complex program, and your local configuration may
cause it to need more capabilities than the attached profile provides.
Please report any problems you encounter with this profile.
Thanks,
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Chief Scientist, Immunix http://immunix.com
http://www.immunix.com/shop/
["usr.bin.rsync" (text/plain)]
/usr/bin/rsync {
#default entries; most required by __canary_death_handler()
/dev/log w ,
/etc/ld.so.cache r ,
/etc/locale/** r ,
/etc/localtime r ,
/usr/share/locale/** r ,
/usr/share/zoneinfo/** r ,
/usr/lib/locale/** r ,
/usr/lib/gconv/*.so r ,
/usr/lib/gconv/gconv-modules* r ,
#entries specific to this application
/etc/mtab r ,
/etc/fstab r ,
/etc/nsswitch.conf r ,
/etc/group r ,
/etc/passwd r ,
/lib/ld-*.so* rx ,
/lib/libc.so.6 r ,
/lib/libc*.so r ,
/lib/libnsl* r ,
/lib/libnss*.so r ,
/lib/libresolv*.so* r ,
/proc/meminfo r ,
/usr/bin/rsync r ,
/usr/lib/libpopt.so.* r ,
# put the files and directories you want rsync'd here
/some/directory/tree/you/want/to/rsync/with/** rwl ,
}
_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic