home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Tools (InfoMagic)
/
Internet Tools.iso
/
security
/
securelib.README
< prev
next >
Wrap
Text File
|
1993-12-16
|
11KB
|
269 lines
SunOS 4.1 secure C library package
Written by William LeFebvre, EECS Department, Northwestern University.
Internet address: phil@eecs.nwu.edu
Code for reading the configuration file, along with a few important
patches, was provided by Sam Horrocks of UCI (sam@ics.uci.edu).
OVERVIEW:
This package contains replacement routines for these three kernel
calls: accept, recvfrom, recvmsg. These replacements are compatible
with the originals, with the additional functionality that they check
the Internet address of the machine initiating the connection to make
sure that it is "allowed" to connect.
Once compiled, these can be used when building a new shared libc. The
resulting libc.so can then be put in a special place. Any program
that should be protected can then be started with an alternate
LD_LIBRARY_PATH.
What you need:
SunOS version 4.1, 4.1.1, or 4.1.2 (or 4.1.3 if there ever is one),
installation of the "shared library" option,
root access.
SunOS 5 (Solaris 2.0) users are on your own. I have no idea if this
will work with version 5 or its successors.
You can see if your machine has the shared library option installed by
looking for the directory "/usr/lib/shlib.etc". If it is not
installed, then you will need to extract it from the distribution
tapes (Sun-factory installed machines will NOT have it installed).
Do you need to use this? If you can answer all of these questions
with "yes", then this package will benefit you:
Are you connected to the Internet (even via a local or
regional network)?
Do all of the routers/gateways between your machine and the
"rest of the world" route all packets regardless of protocol
or port number?
Are you concerned about the fact that any user on any system
anywhere on the Internet can connect to any network daemon
that runs on your machine, including ypserv and pwdauthd?
AVAILABILITY:
The latest version of securelib is available via anonymous FTP from
the host "eecs.nwu.edu". It is stored in the file "pub/securelib.tar".
Remember to use the "binary" transfer mode!
DETAILS:
Each modified system call has the same basic algorithm:
{
int retval;
if ((retval = syscall(...)) >= 0)
{
if (_ok_address(socket, addr, *addrlen))
{
return (retval);
}
close(retval); /* this line: "accept" only */
errno = ECONNREFUSED;
return (-1);
}
return (retval);
}
Connections that are established from a host that is not "okay" will
be closed (if established via "accept"), then errno will be set to
ECONNREFUSED and the calling application will get an error indication
back from its system call. It is assumed that the application will
deal with such an error in an intelligent fashion. All Sun daemons
that we have tried seem to handle this correctly: they merely do the
system call again.
The application will only see success for machines that "_ok_address"
says are acceptable. All other connections look like failures.
The function "_ok_address" reads a configuration file (normally
"/etc/securelib.conf" or "/etc/security/securelib.conf") which
describes what Internet address are acceptable.
CONFIGURATION FILE:
The configuration file (usually /etc/securelib.conf) is read by every
process using securelib to find out which hosts are allowed to make
connections. Every hour, the config file is stat'ed to see if it has
changed. If it has, the file is re-read.
The first column in the file is the name of the process to which this
line applies. If this name is "all" then this line will apply to all
processes using securlib on this host. Otherwise, this name is
checked against the environment variable "SL_NAME" to see if that's a
match. If it does match, then the line is taken to apply to the
current process.
The mask field (the last field on each line) is a set of bits which
are taken out of the source host's address before further comparison.
These are bits in the address which can be ignored.
The address field (the second field on each line) is the address which
the source host's address must match in order for a connection to be
successful. The source address is only compared to this address after
the bits specified by the mask field have been cancelled out.
For example, the line:
all 128.199.0.0 0.0.255.255
would apply to all programs using securelib and would allow
connections from hosts whose address start with 128.199.
A host is allowed to connect if *any* of the lines in the config file,
which apply to that process, give it access. There is no way to
specify a "deny" line which would cause unconditional rejection of
certain addresses.
STARTING A SECURELIB PROCESS:
"make install" will install both the "start" script and the securelib
shared library in the destination specified in Makefile (usually
"/usr/lib/secure"). To start a process using securelib, use the
command:
/usr/lib/secure/start <program> <arguments>
This will pass the correct "SL_NAME" environment variable to the program and
will set the correct LD_LIBRARY_PATH so that the program uses securelib.
SPECIAL NOTE TO SunOS 4.1.2 USERS:
There is essentially a bug in /usr/etc/shlib.etc/Makefile. The line
immediately following "libc.so:" looks like this:
ld -assert pure-text `${OBJSORT} lorder-sparc tmp`
It should look like this:
ld -assert pure-text `${OBJSORT} lorder-sparc tmp` -ldl
Although I have not actually tested securelib on a 4.1.2 system, I am
fairly certain that you will need to make this change before securelib
will compile and link successfully under 4.1.2.
INSTALLATION:
Create a file called "securelib.conf" in the source directory, using the
file "securelib.conf.ex" as an example. Be sure to tailor this file
to your site's needs. You should also make sure that you include a
rule for the loopback network:
all 127.0.0.0 0.255.255.255
Edit the Makefile and make changes as appropriate to the definitions
of SHLIB, DESTDIR, and CONFFILE. SHLIB defines the location of Sun's
shlib.etc directory as extracted from the installation tape. This
will almost certainly be "/usr/lib/shlib.etc". DESTDIR is the
directory in which you want the secure library (libc.so.X.X.X) and the
"start" shell script installed. CONFFILE is the full name of the
installed configuration file. The Makefile will set compile-time
constants indicating the location of the configuration file, and it
will also install "securelib.conf" from the current directory as the
name specified by CONFFILE in the "make install" step.
The process of buliding the new shared library uses the Makefile in
/usr/lib/shlib.etc. Unfortunately, this Makefile assumes that "."
is on your path. Make sure that this is the case or the make will
fail with a message like "objsort: not found".
Once you have made these changes, type "make install" and everything
should go smoothly. Typing just "make" will build the new library in
the SHLIB directory, but it will not install it.
CHOOSING APPROPRIATE LOCATIONS:
Two good places for securelib.conf are "/etc" and "/etc/security".
The advantage of placing it in "/etc/security" is that non-root users
will not be able to determine which Internet addresses are accepted by
the sensitive daemons. This is an extra measure of security, similar
to protecting /.rhosts. However, the disadvantage is that use of the
secure shared library is then restricted to only root processes (since
only root can read the configuration file). If you need non-root
processes to use securelib, or if you do not feel a need to protect
the information in the configuration file, then place the file in "/etc".
The location of the library itself is typically "/usr/lib/secure".
There is no reasonable place to put the library in the Sun file system
heirarchy, so I just invented a new directory. REPLACING OR
SUPERCEDING THE EXISTING libc LIBRARY IS NOT RECOMMENDED!!! The
intent of this package is to provide an alternate libc that can be
used only on selected server processes (usually servers that are
started at boot time). The alternate library is selected by setting
LD_LIBRARY_PATH before starting the server.
USING THE ALTERNATE LIBRARY:
Now decide which servers you want to protect. I personally have
chosen portmap, rpc.pwdauthd, ypserv, and rpc.yppasswdd. Another
possibility is nfsd, but remember that each packet received by nfsd
must be verified by "_ok_address". This may have a noticeable impact
on nfs performance.
Modify /etc/rc.local so that it starts the daemon with the "start"
script. What I have done locally is put some code at the very
beginning of rc.local to determine if the secure library is available
on the system and set an environment variable accordingly:
SECURE=""
if [ -x /usr/lib/secure/start ]; then
SECURE="/usr/lib/secure/start"
fi
Now any daemon which I want to protect is started with a line like
this:
$SECURE portmap; echo 'starting rpc port mapper.'
If the shell script does not exist on the machine being booted, then
SECURE will be null and "$SECURE portmap" will expand to merely "portmap".
NOTE TO CUSTOM SHARED LIBRARY BUILDERS:
If you have already built a customized shared library, for example if
you have built a shared library with alternate gethost* routines for
name resolution, you can still use this package. Just make sure that
before you type "make", the object files for your alternate library
are already in place in SHLIB/tmp. If the "tmp" subdirectory already
exists, then this package will not recreate it or re-extract
libc_pic.a. However, it WILL overwrite tmp/accept.o, tmp/recvfrom.o,
and tmp/recvmsg.o. And it will add a line to lorder-sparc (after
saving the original in lorder-sparc.orig).
DISCLAIMERS:
IMPORTANT NOTE: THIS LIBRARY DOES NOT GUARANTEE THAT YOUR MACHINE IS
SECURE!!! This library enhances security---it does not guarantee it.
It can be used to plug several known security holes on machines running
SunOS 4.1 and 4.1.x.
NO WARRANTY:
BECAUSE "securelib" IS DISTRIBUTED FREE OF CHARGE, THERE IS ABSOLUTELY
NO WARRANTY PROVIDED, TO THE EXTENT PERMITTED BY APPLICABLE STATE LAW.
EXCEPT WHEN OTHERWISE STATED IN WRITING, NORTHWESTERN UNIVERSITY,
WILLIAM N. LeFEBVRE AND/OR OTHER PARTIES PROVIDE "securelib" "AS IS"
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY
AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE "securelib"
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION.
IN NO EVENT WILL NORTHWESTERN UNIVERSITY, WILLIAM N. LeFEBVRE, AND/OR
ANY OTHER PARTY WHO MAY MODIFY AND REDISTRIBUTE "securelib", BE LIABLE
TO YOU FOR DAMAGES, INCLUDING ANY LOST PROFITS, LOST MONIES, OR OTHER
SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY THIRD PARTIES OR A
FAILURE OF THE PROGRAM TO OPERATE WITH OTHER PROGRAMS) THE PROGRAM,
EVEN IF YOU HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR
FOR ANY CLAIM BY ANY OTHER PARTY.