Contributed by grey on from the spike sharpening dept.
Stephanie is an OpenBSD hardening package; Viagra for the blowfish, if you will. It adds several security features not present in OpenBSD that many admins and users would like on their systems. Stephanie contains features both for compromise prevention and post-compromise damage reduction; or, last line of defense.
The site for the updated project is:http://www.ethernet.org/~brian/Stephanie/
(Comments are closed)
By Anonymous Coward (69.197.92.181) on
Comments
By Anonymous Coward (68.232.139.94) on
Comments
By Anonymous Coward (67.71.79.251) on
Comments
By Pete (213.145.178.123) on
By djm@ (61.95.66.134) on
Anyway, the idea of loading hashes of apps into the kernel is dumb, dumb, dumb. If you really want to play games like that (and I think that there are bigger security fish to fry), then at least do it scalably e.g. using public key crypto and signatures in ELF extensions. The Immunix people had a prototype of something similar to this for Linux 5 or so years back IIRC.
By Anonymous Coward (68.161.210.128) on
Comments
By Anonymous Coward (195.217.242.33) on
Comments
By Anonymous Cowboy69 (217.148.68.113) on
By Anonymous Coward (68.161.210.128) on
By Anonymous Coward (69.197.92.181) on
Comments
By br1an (212.143.248.148) on
Comments
By Anonymous Coward (69.197.92.181) on
By br1an (212.143.248.148) on http://ethernet.org/~brian/Stephanie/
however.. it has become a trend here in (un)deadly complaining about tremendous amounts of bugs - both in openbsd, ports, packages, and third-party work, all without providing not even one example.
it is true that earlier releases of stephanie that went under my hands had bugs in them, but such is all software. you are using an OS that gets enormous amounts of bug fixes every day - look at cvs logs. for this release of stephanie i spend extra time making sure, with several people, in several configurations (and on several architectures) that this is the best i can do. if you wanna give it a shot, go ahead and do it, if you don't, at least provide useful bug reports. (as none have already) i've been here long enough to know that words are just words. ;)
djm@ - your opinion of saving tables of fingerprints in the kernel is okay, but if others here would like to get the bigger picture, let me give it briefly - openbsd forked off netbsd, and shares huge amounts of code with it. most of the work tedu@ is stolen (as he lurks on tech-kern@ and probably other mailing lists) and a lot of netbsd work ends up in openbsd.
that said, netbsd had code similar to Vexec - in fact, earlier versions (in stephanie for 3.2 and 3.4) used some of it - in the OS core/base/whatever. seeing how many ideas and code gets nuked by netbsd people on the various mailing lists, and how this code made it in, i leave it up to you to decide what way to take. i'm not trying to get it in openbsd's base, nor trying to make it a de-facto standard for openbsd users; i'm just saying that i trust opinions of people like jason thorpe, david laight, and bill tudenmund a but more than damien miller's. ;)
Comments
By Matt Van Mater (65.205.28.104) on
TPE looks like a slightly more fine grained control of access control. It looks like it was intended to be somewhere between mounting a partition noexec and simply setting ACLs on a directory. I can imagine there are some people who neither want to be super security nazi and mount drives noexec,ro and also who don't want to have ACLs as their sole means of protection.
I agree with djm about storing the hashtables inside the kernel. I like linux for certain things, but I don't like some distro's habit of putting everything in the kernel for a performance gain. I'm not saying that's what you're doing, but I feel like a kernel mod should be your last resort, and that it's probably not the best way to store/secure that hash.
Comments
By br1an (212.143.248.148) on http://ethernet.org/~brian/Stephanie/
By Anonymous Coward (69.197.92.181) on
By mirabile (212.185.103.56) on http://mirbsd.de/
we would like to get a real name on the licence for inclusion,
or some photo-copy of an official document which states 'br1an'
is your pseudonym/artist(ic) name. (It's hard to get them here :(
By Miod (212.234.41.17) on
Comments
By br1an (212.143.248.148) on
Comments
By grey (66.197.133.17) on
By Anonymous Coward (195.217.242.33) on
Oh dear
By Anonymous Coward (203.206.244.7) on
noones got a gun to your head to install this.
search the archives for what some commiters think. if something really pisses you off, write a patch to fix it. otherwise just shutup, you're not helping.
its the openbsd way
or at least it used to be.
Comments
By Anonymous Coward (67.71.79.251) on
By Anonymous Coward (211.30.147.144) on
Is it more likely to increase or decrease security compared to a regular OpenBSD setup? (because I'm confused at these statements made by others)
Does Brian's enhancements end up in the official OpenBSD package?
Are they audited in the same manner as well?
Any experienced OpenBSD user input would be appreciated.
Comments
By Matt Van Mater (65.205.28.104) on
I can't speak to the quality of this particular patch set, but that is why people are badmouthing it. Also, it will almost certainly not end up in the core install of obsd. The dev team thinks it creates more problems than it's worth (see DJM above), and from my limited knowledge of the subject I tend to agree.
By dqueue (68.167.163.180) on
By CFrankB (63.255.174.162) cfrankb@gmail.com on http://www.1nun.net/
Comments
By Anonymous Coward (141.39.2.1) on
Comments
By CFrankB (63.255.174.162) on
By Chas (147.154.235.53) on
smbclient and Oracle's sqlplus utility both like to take passwords on the command line.
Oracle has long offered an unsupported utility called hide.c that writes 3000 chars into argv[0], which on most systems is sufficient to prevent the ps command from revealing passwords. I have also written a ksh93 script that accomplishes the same thing.
However, on OpenBSD, even after adding 10000 extra chars, a ps awwx will still reveal all the argument list.
I realize that I should answer my own question and dig into the source for the kernel process table, but why is this happening and what can be done on OpenBSD to conceal sensitive argument vectors from ps?
Right now, Stephanie would be my first recourse in accomplishing this (however flawed/risky some may think that to be).
Comments
By Anonymous Coward (65.205.204.37) on
Comments
By chas (147.154.235.53) on
If you've got the source to Oracle's sqlplus, you'd better keep quiet about it.
AFAIK, Oracle uses the same sqlplus codebase to generate binaries for UNIXen, VAX/Alpha VMS, MVS/zOS, and Win32. I guess that they've argued that they don't want too much UNIX influence in the source.
Comments
By tedu (66.93.171.98) on
and since it already does prompt for a password if you don't provide one, it looks like they've managed to cope with said contamination.
By Anonymous Coward (69.197.92.181) on
Comments
By Chas (147.154.235.53) on
Not all software is good, and sometimes critical data requires less than perfect access methods.
If your customer needs their order status out of an Oracle database, or they need to see some document held on a Win32 file server, you can't tell the business that it is inappropriate to use working technology because of a stance that really resembles a whim.
Comments
By Anonymous Coward (69.197.92.181) on
Comments
By Chas (64.109.19.61) on
Actually, show me how to do it in VMS and I'll give you a dollar.
Comments
By Anonymous Coward (66.93.171.98) on
$ TYPE passwordfile
$ DEFINE/user sys$input tmppass
$ sqlplus
$ DELETE tmppass
or so.
Comments
By Chas (147.154.235.51) on
Notice that I said smbclient. Linked to Multinet. On a VAX.
I'll keep my dollar, thanks.
Comments
By tedu (66.93.171.98) on
don't you have the source for smbclient?
so far, your posts have described the following problem:
you need to patch the openbsd kernel to run sqlplus because you don't have the source in order to run smbclient on a vms machine.
did i get that right? i just want to make sure i understand the problem.
Comments
By Chas (147.154.235.51) on
I was asked for "a real example," and smbclient under VMS fits (smbclient is NOT an Oracle product - it is part of the Samba suite).
When you have to deploy something like smbclient or Oracle across several different technologies, it becomes tempting to use the simplest methods possible, and this will mean passwords in argv visible in the process list (on UNIX).
Stephanie is the only method that I know of on OpenBSD that conceals argv, should I decide that I need the functionality in the future.
Comments
By Michiel van Baak (80.126.97.99) michiel@vanbaak.info on
Comments
By tedu (66.93.171.98) on
Comments
By mirabile (212.185.103.56) on http://mirbsd.de/
Yes, I know, -w is optional...
If you're interested, I can pick out that as a diff again.
Comments
By br1an (212.143.248.148) on
i believe that moving more code to use sysctls instead of kvm will probably be a far better contribution to the openbsd source tree than the boring 'allowpsa' and 'allowpse'.
By mirabile (212.185.103.56) on http://mirbsd.de/
(mostly because I'm not good at picking names), which accomplish that.
Some (about a third) of the code, and the whole idea, are from a mail
(IIRC) Todd Fries sent to me, asking if I could fix that. When I was
ready, they won't include it because they will be pursuing a different
approach, that's what I was told.
In the meanwhile, it works well on my boxen.
By res (64.180.113.251) on
for every project there are people making claims about its poor security, trying to sound like some professional security auditor that has laughed his ass off reading every line.
well, i think he's done a pretty good job this time (haven't seen his past efforts, and who cares)
there are many people that talk such smack about openbsd itself in the manner most of you are talking about this project. in fact, i've seen very similar 'what a shitty coder' comments made about theo on more than 100 occasions. i'm sure theo has written software with a security hole or two in his past, but he's moved on to write excellent software.
why not give it a chance, or if you are so skeptical, why don't you prove it to be a peice of shit by auditing it yourself? it's fun
just like openbsd and everything else i use, i hope someone finds a serious hole or two in stephanie so it can be fixed (i am certain they both have bugs left), and be that much more secure for it.
Comments
By EN (81.227.101.233) on
By Anonymous Coward (211.30.147.144) on
Comments
By zerash (24.73.232.98) zerash@metawire.org on http://www.metawire.org/~zerash/
-Dan
By zerash (24.73.232.98) zerash@metawire.org on http://www.metawire.org/~zerash/
Brian implemented Stephanie on metawire.org, practically as soon as he joined our admin team, thus we had a chance to use it/run it for already a couple of months before the official release for 3.6.
Claims such as the first comment, regarding that using Stephanie would only decrease security and performance are simply outrageous; especially coming from someone who most likely hasn't even tried applying the patches in the first place.
Metawire currently houses over five thousand users and this whole time has been running with Stephanie hand in hand, without a glitch and barely any increase in performance. I've personally watched brian work on this project day to day, enhancing performance day by day, and although it might not seem as much, I can vouch(sp?) for the excellent quality of these patches without a doubt.
Our systems are stable, loads are good and all the patches help the security of the system tremendously.
-Dan
Comments
By riddler (82.208.148.206) ealex@metawire.org on http://riddler.metawire.org
And again, with the risk of repeating what has been said, if you claim something is wrong with the code, speak out, point out the holes, make patches, support it. Otherwise you're useless and wasting air.
Using or not-using this depends merely on the trust you have in the authors skills, if you have none of your own, as is the case with anything out there, from Windows (TM) to Openbsd, to apache, minesweeper or hell knows what else. You trust the source, you run the code. If you don't, audit it if you can, if not, just leave it be, don't go off and bash it with kiddiot posts.
Anyone can troll and destroy. Not everyone can support and be constructive.
EOF
By Anonymous Coward (69.197.92.181) on