Re: [Cerowrt-devel] cerowrt security

[Aristar <LeetMiniWheat@gmail.com>]

On Mon, Oct 21, 2013 at 9:59 PM, Dave Taht <dave.taht@bufferbloat.net> wrote:
>
> One of my big bugaboos is privilege separation. The squashfs filesystem
> supports nothing more than uid 0, and most processes run as root, which
> is just pain wrong... I'd like the front end web server to be running
> as a very restricted user in particular and using fastcgi to be talking
> to the config....

Hmm, interesting. So this is why using su -c to run a service as
another user has permission issues. I assume sudo -u still retains
some root privledges, which is why it works. (Ran into this issue when
configuring my IRC bouncer, Miau)

With such limited space on the flash, I understand the reasoning for
using squashfs. Not sure of any alternatives. Although there is the
possibility of chainloading a distribution off USB stick. There's a
debian-mips guide for doing that here: (
https://wiki.debian.org/InstallingDebianOn/D-Link/DIR-825 ) though the
complexity involved in doing something similar with openwrt/cerowrt
would be extensive.

> > DNSCrypt-proxy[...]
>
> I can make it available as an optional package in ceropackages. patches
> gladly accepted.

That would be great! I still can't figure out how to get the
imagebuilder or SDK working, but perhaps I'll give it another try
sometime. Openwrt is still a bit foreign to me since I used to work on
tomato-based forks. The wiki documentation on openwrt and cerowrt are
both very old and seem assume a certain level of prior-knowledge to
the inner workings of the distribution.

> > sysctl.conf network hardening:
> >
> > source address verification to protect against IP spoofing
> > net.ipv4.conf.default.rp_filter=1
> > net.ipv4.conf.all.rp_filter=1

> I was actually under the impression these two were set by default these days.

I only mentioned the ones I saw that weren't enabled by default in
cerowrt, and this is not (on 3.7.5).


> > IPv6 Privacy Extensions (RFC 4941) ( http://tools.ietf.org/html/rfc4941 )
> > net.ipv6.conf.all.use_tempaddr = 2
> > net.ipv6.conf.default.use_tempaddr = 2

> It makes me nervous to think my core dns server is going to hang
> off some dns address I can't remember either.

Yeah I was wondering if some random address might screw that up.


>> Symlink Protection:
>> fs.protected_hardlinks = 1
>> fs.protected_symlinks = 1
>
> Well I'm not sure if this is a real problem or not. I'd certainly like a
> security minded individual to try out the attacks outlined here:
>
> http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp
>
> The successful ones were mostly an exploit via symlink against samba.
>

Interesting read. Seems like a lot of those were samba and improper
file permissions (which a better filesystem than squashfs might help
solve?)