OpenBSD Journal

stsh - the systrace shell

Contributed by grey on from the more folks should make cool use of systrace like this dept.

Jose Nazario writes:

as part of the OpenBSD book i wrote with brandon palmer, secure architectures with OpenBSD, i developed stsh, the systrace shell. this was inspired by the monkey.org shell acount systrace shell, but this one is implemented differently.

since the book's publication, i have updated stsh to be more flexible. it also changes how the tool is used, so the directions in the book are now obsolete (use the ones on the website). it works pretty well, and ensures that every application you start is wrapped in systrace.

you can compile it to learn behaviors, use your machine for a while, and then evaluate the resulting systrace policies. then you can rebuild it to be in enforce mode, giving you the benefits of systrace for all binaries. since your parent shell is systraced, and everything inherits from that, all apps are systraced. obviously this is not for the faint at heart, but can be useful, especially when combined with mount options, kernel options, permissions modifcations, group management, and the like (ie remove the ktrace capability for normal users, restrict setuid binary usage, and so forth).

hope this helps.

(Comments are closed)


Comments
  1. By Jim (162.40.115.62) on

    Thanks Jose! This is really useful.

  2. By Anonymous Coward (130.233.220.23) on

    Looks neat. Is there a rule that shell names must be one or two letters followed by sh?

    Comments
    1. By jose (204.181.64.2) on http://monkey.org/~jose/

      basically all that stsh does is this:

      when you login, login(1) looks in login.conf(5). if your user class has a "shell" entry in it, login(1) executes that shell. in this case, you're in the stsh class and you have "shell=/bin/stsh" in there.

      what stsh(8) does is this: it opens up your passwd(5) file and looks for your UID and its associated shell. it then executes that under systrace. if your shell is "/usr/local/bin/emacs", for example, you'll get a systraced emacs shell. stsh replaces itself with this entry from your passwd(5) line for your account.

      simple as that. there's no globbing for the shell name. shells(5) are enforced by passwd(1), so they'll have to match that, but that's for a local admin to decide.

      hope that makes sense.

      Comments
      1. By Anonymous Coward (200.221.124.40) on

        why login can't use passwd to check for login shells? after all, the info is already there! burn redundant info!

        Comments
        1. By Anonymous Coward (80.65.225.73) on

          Maybe because stsh isn't really a shell by itself, but a wrapper around the user prefered shell (recorded on /etc/passwd).

        2. By jose (65.23.81.140) on

          letting it be controlled by login.conf(5) lets you have classes of users you can modify on the fly. you can have default and special classs. using a "shell" entry in there works well, because then you can't change it with chsh(1). hence, usrs can't evade mechanisms like stsh or whatever wrapper you throw in there.

          the layer of abstraction provided by login.conf(5) is actually quite useful. you dont have to manage more than one file to control a set of users.

    2. By nazsco (200.221.124.40) on

      yep, RFC823, entitled "shell binaries nomenclature"

  3. By Anonymous Coward (68.125.86.22) on

    Wheee! neato. Thanks.

  4. By Anonymous Coward (80.65.225.73) on

    Great and usefull tool!

    May I suggest an improvment ?

    Maybe the provided systrace policies could be refined manually, for simplification, and to improve security.

    E.g. in bin_cat
    native-fsread: filename eq "/home/jose/crimelabs/software/stsh/README" then permit
    [...]
    native-fsread: filename eq "/etc/malloc.conf" then permit
    [...]
    native-fsread: permit
    
    Could be reduced at "native-fsread: permit". Or (maybe better) 
    "native-fsread: permit, if user != root".
    Idem for other policies.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]