Privelege separation

[Renaud Deraison]

On Wed, Aug 25, 2004 at 12:46:44PM -0500, eric wrote:
> On Wed, 2004-08-25 at 17:49:54 +0200, Renaud Deraison proclaimed...
> 
> > Separating the privileges of anything else won't buy you anything,
> > because the plugins need the ability to execute local commands
> > (ie: nmap) as root. 
> 
> *ding* We have a winner.
> 
> That was my point :) and something I'm working on patching to get
> around. Maybe it will happen, maybe it won't. But if so, I'll post
> whatever I've come up with.

You can't patch it without breaking the flexibility of Nessus. Assuming
you're running a privileged server which does all the rooty operations
(raw sockets, sniffing, binding to low ports, executing commands),
you'll have plugins connecting to it and ask to run "nmap" or anything
else.

If you're a clever hacker and for some reason got the ability to make a
unprivileged instance of Nessus execute arbitrary code, you may very
well have your shell code pretending to be a plugin and ask the
unprivileged server to execute "rm -rf /" or anything else. The
privileged instance will blindly follow your order, and you'll have
executed a command as root from a non-root process. Hence, you don't
gain anything.

Now you may say that the easy answer is to restrict the privileged
instance of Nessus to a very specific list of commands to run (ie: only
allow calls to nmap and snmpwalk and nikto, and nothing else), but in
that case you're simply breaking Nessus down to something less flexible,
thus resulting in a loss of functionnality in the name of privilege
separation.

If you want to run Nessus securely, install a real operating system
implementing mandatory access control, which will give you a lot of
flexibility, and will provide you with more security than privilege
separation. I know that OpenBSD does not intend to implement MAC anytime
soon, but they can't always be right.


				-- Renaud