From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qc0-x22c.google.com (mail-qc0-x22c.google.com [IPv6:2607:f8b0:400d:c01::22c]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 81A8721F1E1 for ; Mon, 21 Oct 2013 20:25:39 -0700 (PDT) Received: by mail-qc0-f172.google.com with SMTP id c9so5085523qcz.31 for ; Mon, 21 Oct 2013 20:25:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=K/SYzsjf/qwOnrpWRZ8ahHXO3UpMh8IzSPQaSPQzWS4=; b=ly4+uPD1WWmJUbh4cgOocKqJiH5swCS6S3C2KqOcGCpNxyCXtMk+9Kg0gQGuHX0onJ W2ob4FYoNYpkFNMwMwzdTmI1GPwbtuX90E3OkBIoxa3qRM4zoDafV3O6daenKb3kYOUI sPp7TZSby0CSwLb4gxXic1I/5NlxKSqOkgesN1yxtXpTiTokO1drEV2sPN/Rd9QmLMLi cfwTPi4Gbs8Ox1zFue0AxjFhMLBQvFP9pKJBhWI4EZm+cH/6Qn6gsEePbdbVLkCL8u/I tdDWA++1Q8BTaXbvg2RIqRH7NIm8I+sb0nExp+aru91ifuBkhArWAzDveugAfCKxvKxC 8iLg== X-Received: by 10.224.40.138 with SMTP id k10mr27238068qae.67.1382412338022; Mon, 21 Oct 2013 20:25:38 -0700 (PDT) MIME-Version: 1.0 Sender: white.phoenix@gmail.com Received: by 10.96.152.73 with HTTP; Mon, 21 Oct 2013 20:25:07 -0700 (PDT) In-Reply-To: <20131022015949.GB5076@lists.bufferbloat.net> References: <20131022015949.GB5076@lists.bufferbloat.net> From: Aristar Date: Mon, 21 Oct 2013 23:25:07 -0400 X-Google-Sender-Auth: pfvsvBnjrccnmhxgbwArSArYZ74 Message-ID: To: cerowrt-devel Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [Cerowrt-devel] cerowrt security X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 03:25:39 -0000 On Mon, Oct 21, 2013 at 9:59 PM, Dave Taht wrote: > > One of my big bugaboos is privilege separation. The squashfs filesystem > supports nothing more than uid 0, and most processes run as root, which > is just pain wrong... I'd like the front end web server to be running > as a very restricted user in particular and using fastcgi to be talking > to the config.... Hmm, interesting. So this is why using su -c to run a service as another user has permission issues. I assume sudo -u still retains some root privledges, which is why it works. (Ran into this issue when configuring my IRC bouncer, Miau) With such limited space on the flash, I understand the reasoning for using squashfs. Not sure of any alternatives. Although there is the possibility of chainloading a distribution off USB stick. There's a debian-mips guide for doing that here: ( https://wiki.debian.org/InstallingDebianOn/D-Link/DIR-825 ) though the complexity involved in doing something similar with openwrt/cerowrt would be extensive. > > DNSCrypt-proxy[...] > > I can make it available as an optional package in ceropackages. patches > gladly accepted. That would be great! I still can't figure out how to get the imagebuilder or SDK working, but perhaps I'll give it another try sometime. Openwrt is still a bit foreign to me since I used to work on tomato-based forks. The wiki documentation on openwrt and cerowrt are both very old and seem assume a certain level of prior-knowledge to the inner workings of the distribution. > > sysctl.conf network hardening: > > > > source address verification to protect against IP spoofing > > net.ipv4.conf.default.rp_filter=1 > > net.ipv4.conf.all.rp_filter=1 > I was actually under the impression these two were set by default these days. I only mentioned the ones I saw that weren't enabled by default in cerowrt, and this is not (on 3.7.5). > > IPv6 Privacy Extensions (RFC 4941) ( http://tools.ietf.org/html/rfc4941 ) > > net.ipv6.conf.all.use_tempaddr = 2 > > net.ipv6.conf.default.use_tempaddr = 2 > It makes me nervous to think my core dns server is going to hang > off some dns address I can't remember either. Yeah I was wondering if some random address might screw that up. >> Symlink Protection: >> fs.protected_hardlinks = 1 >> fs.protected_symlinks = 1 > > Well I'm not sure if this is a real problem or not. I'd certainly like a > security minded individual to try out the attacks outlined here: > > http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp > > The successful ones were mostly an exploit via symlink against samba. > Interesting read. Seems like a lot of those were samba and improper file permissions (which a better filesystem than squashfs might help solve?)