Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Your good nature will bring you unbounded happiness.

computers / news.software.nntp / Need Help Building a Jail for INN2

SubjectAuthor
* Need Help Building a Jail for INN2Borg
`- Re: Need Help Building a Jail for INN2Russ Allbery

1
Need Help Building a Jail for INN2

<tb0r44$3kh05$1@news.mixmin.net>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=1015&group=news.software.nntp#1015

  copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.mixmin.net!.POSTED!not-for-mail
From: resista...@is.futile (Borg)
Newsgroups: news.software.nntp
Subject: Need Help Building a Jail for INN2
Date: Sun, 17 Jul 2022 06:18:05 -0500
Organization: Mixmin
Message-ID: <tb0r44$3kh05$1@news.mixmin.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 17 Jul 2022 11:17:24 -0000 (UTC)
Injection-Info: news.mixmin.net; posting-host="e03b4974be6f314b21e8c21f3ffff72ee885c4df";
logging-data="3818501"; mail-complaints-to="abuse@mixmin.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.9.1
Content-Language: en-US
 by: Borg - Sun, 17 Jul 2022 11:18 UTC

To build a Debian jail for INN2 I must know every single file, device
file, and directory to which INN needs access so that I may whitelist
them and blacklist all others. The end goal is to build a restricted
sandbox that locks out all other directories and binaries so that remote
compromise is rendered nigh impossible--then package it up with easy
options to operate over a Tor hidden service. The end user/operator
would just drop down the jail file and execute it then everything will
be up and running, with a Tor hidden service, systemd profiles and
services included.

I am willing and actually happy to do all the work of creating the jail
and a fool-proof configuration so Debian users can just drop the blob
and run with a single command, with automatic peering and configuration.
But I do not want to spend an eternity examining source code and running
execution traces to narrow down all the requisite resource access.
Locking out just one unnecessary resource could create a real PITA at
some unexpected time.

Running a execution profiling tool will not be very effective since
every possible feature of INN would need to be actually invoked to get a
full trace profile to every binary and directory need by INN. This just
is not feasible. It would be far more work than the source code for the
jail. The 'ldd' command is helpful but cannot be relied upon to reveal a
complete stack of requisite resources. It is only a dependency link
identification and not a complete call or subprocess identification.
Firejail and bubblewrap traces suffer the same shortcomings.

Does anyone have data on the binaries invoked by INN and the folders,
files, and devices, that must be accessible to INN and whatever scripts
and binaries it calls? This is for Debian server, Buster to current.

--

Borg

Re: Need Help Building a Jail for INN2

<8735ezkc6h.fsf@hope.eyrie.org>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=1017&group=news.software.nntp#1017

  copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!paganini.bofh.team!news.killfile.org!news.eyrie.org!.POSTED!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: news.software.nntp
Subject: Re: Need Help Building a Jail for INN2
Date: Sun, 17 Jul 2022 08:10:14 -0700
Organization: The Eyrie
Message-ID: <8735ezkc6h.fsf@hope.eyrie.org>
References: <tb0r44$3kh05$1@news.mixmin.net>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: hope.eyrie.org;
logging-data="31705"; mail-complaints-to="news@eyrie.org"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:Gk+iubp93QdMgq7FiVaDsyaZqFM=
 by: Russ Allbery - Sun, 17 Jul 2022 15:10 UTC

Borg <resistance@is.futile> writes:

> To build a Debian jail for INN2 I must know every single file, device
> file, and directory to which INN needs access so that I may whitelist
> them and blacklist all others. The end goal is to build a restricted
> sandbox that locks out all other directories and binaries so that remote
> compromise is rendered nigh impossible--then package it up with easy
> options to operate over a Tor hidden service. The end user/operator
> would just drop down the jail file and execute it then everything will
> be up and running, with a Tor hidden service, systemd profiles and
> services included.

This is unfortunately going to be really hard because INN is rather
sprawling, particularly if you include all of the optional configurations
and extra supported features.

Why not just make a container? I think a container based on a Debian
stable image with the inn2 package installed would accomplish roughly the
same thing. You'd have extra binaries in the container that INN
technically doesn't need, but I highly doubt that would introduce any new
security risks over all the stuff INN does need.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

Please post questions rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor