tech-kern: Re: security sysctl? (was: r/o filesystem restrictions for firewall?)

Subject: Re: security sysctl? (was: r/o filesystem restrictions for firewall?)
To: None <tech-security@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-kern
Date: 10/25/2000 11:15:13

On Wed, Oct 25, 2000 at 08:39:00AM +0200, Thomas Michael Wanka wrote:
> On 24 Oct 2000, at 15:01, Allen Briggs wrote:
> 
> > Downgrading from highly secure mode to insecure mode (that is,
> > to
> >            single-user mode) always requires the root password to be
> > entered
> >            on the console, whether the console is marked as 'secure'
> >            in /etc/ttys or not.
> 
> Hi,
> 
> I thought a reboot into single-user mode was necessary.

No, it's not; you can "kill 1" or "shutdown now" and drop to
single-user mode with a shell on the console, but you won't get
anywhere without entering the root password at that point.

The intention is to enable you to build a device such as an embedded
boot-from-flash router (the specific application I did this work
for, in fact) that may have its serial console hooked up to a
network somehow, e.g. by a console server; you *don't* want an
attacker to be able to drop the machine from multiuser to singleuser
mode (where securelevel = 0) and get a root shell, but you *do*
want to be able to administer the damned thing, and you may not be
*able* to reboot it in all cases (if you drop it to singleuser
mode, it probably keeps routing packets.  If you reboot it, your
network may develop a serious case of the hiccups).  Ergo, the
present solution.

The machines I did this work on ran at securelevel 2 with all
filesystems mounted either read-only or (/tmp and bits of /var)
read-write nodev nosuid noexec, so even if you get a root shell
you probably can't get a new executable to run.  (Thus the "filesystems
can not be remounted" rule) They had ipf rules that ensured that
even if an attacker got onto the box somehow, he couldn't get
packets *out* of it in a way that would disrupt any other services
on the local network.  (Thus the "can't change the ipf lists" rule)
They boot from CompactFlash cards (16MB) and provide nameservice,
NTP service, an authenticating SSH gateway, and various other
proxy-type services to the "inside" corporate network of one of my
larger clients.  I did leave them tools to build new flash images
but they don't seem to have remembered how to use them; no matter,
almost two years later AFAIK the boxes are still running Fine with
no security problems as yet.

-- 
Thor Lancelot Simon	                                      tls@rek.tjls.com
	the effort to perceive simply the cruel radiance of what is