Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Authored by: el.tyde on Dec 01, '07 10:40:33PM

-rw-r--r-- 1 root admin 507 28 Jul 10:20 /Library/LaunchDaemons/ipfw_firewall.plist

...

Really? One question though. (Please forgive my distrust.) What good are these permissions when the ipfw_firewall.plist you published in your hint outsources your firewall rules to:

/Users/blah/bin/ipfw_firewall.sh
ie. your ~/bin

Can you explain to me the benefits of having your system's firewall rules trivially in your user space? You wouldn't happen to be surfing the web as this user would you?

Wait. Nevermind the firewall. You are using LaunchDeamons. Did you just give away root?:

<array>
<string>/Users/blah/bin/ipfw_firewall.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>root</string>

Or perhaps you would like to clarify to novice users that the /Users/blah account is somehow special (hint: not for daily use)?

robg: you let this slide?



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Authored by: mlott on Jan 10, '08 08:31:57AM
Hi
What good are these permissions when the ipfw_firewall.plist you published in your hint outsources your firewall rules to: Can you explain to me the benefits of having your system's firewall rules trivially in your user space?

Really?
If you had bothered to read the attached file, you would notice that the file (after the XML) starts with #!/bin/sh and, if you are aware of how shell scripts work then you would know that there are no shell commands for add 00100 set 0 allow ip from any to any via lo* (as an example) unless coupled with the command ipfw add which is not the case here.

To that end, it is obvious that the script ends on the line $IPFW -q /etc/ipfw.conf. If you had also bothered to read the ipfw manpage, you would realise that /sbin/ipfw -q /etc/ipfw.conf tells ipfw to load firewall rules in the configuration file that is in the path /etc/ipfw.conf, which is where you put all the text under the line:

- and last but not least the /etc/ipfw.conf file looks like this:
It even states:
# Load rule set from /etc/ipfw.conf

For info, the group ownership for the ipfw_firewall.plist file should really be with wheel, the same as the plists in /System/Library/LaunchDaemons/ and the /etc/ipfw.conf file should be owned by root, and only readable by root, no one else.

It would also definitely be better to have the ipfw_firewall.sh somewhere within the /usr/local/ tree (maybe /usr/local/scripts/, or /usr/local/bin).

Wait. Nevermind the firewall. You are using LaunchDeamons. Did you just give away root?

What?
How exactly did he "give away root"? You are throwing FUD. If you can show evidence of him giving away the root account, then please let us know. I do not claim to be a security expert in any way, so I would sure love to see how you are able to escalate to root privs in this instance (I think that Apple would like to see that too). Launchd took over from init in 10.4 as the number one process, hence it is owned and run by root for obvious reasons (check the permissions of all system binaries in /sbin/), and yes, I do realise root can pass over to a lesser privileged user/group.

Or perhaps you would like to clarify to novice users that the /Users/blah account is somehow special (hint: not for daily use)?

There is no need for sarcasm, especially when people are trying to help others - it's not nice is it?. Not everyone is as perfect as you seem to think you are, and everyone is hopefully learning something by coming along to Macosxhints. Stop being a smartass.

Instead of calling someone out and slamming them for trying to help, consider highlighting issues that you see, adding what you perceive to be corrections, and thereby educating other people that might be reading this post. There is not always one correct way of doing things, and as such, people have differing opinions of achieving the same goal. If you want to flame people, there are a number of discussions at the moment on the OpenBSD Misc list that might suit you down to the ground.

For info in the attached file, I notice that there is a rule detailed for:

# ip-options
# (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options)
I believe this has been fixed (see here) and I don't think this is necessary.

All that aside, it is interesting that you can now run both ipfw and Apple's application firewall in tandem. This adds an extra layer of security (defence in depth) for those that wish to utilise it. Something to consider for those that are delving more into firewalls and layered security. There is a nice and short read here, though a little dated, on the subject of firewalls and highlights some concepts that are still very true. Bruce Schneier is also very insightful when it comes to security that is not just applicable to the world of IT.

Mike

[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Authored by: el.tyde on Feb 10, '08 04:57:42PM
Gibberish.

Let us quote directly from the source:
http://www.macosxhints.com/dlfiles/custom_ipfw_105.txt

- in my ~/bin directory the ipfw_firewall.sh looks like this:

#!/bin/sh
## Boot Script for firewall

#
# CONSTANTS
#

IPFW=/sbin/ipfw
SYSCTL=/usr/sbin/sysctl

...

The question was not: "How exactly did he 'give away root'?" (as you put it). The question was: "DID [he] just give away root?" (as I put it). So did he? And did you, if you implemented the hint as originally described (with vague ownership/permissions)?

I wouldn't know. That would depend on: all of your daemon script-related ownership and permissions, which the "Sat, Dec 1 '07 10:40PM PST" post here asks to clarify. (And on: what websites he/you may have visited - that's just one possibility.)

Since I respect the possibility that you might really be missing something, I will clarify.

NOTE: The issue here is entirely about ownership and permissions related to: ipfw_firewall.sh. It is very bad practice to have a script like this (in a user directory like ~/bin, or some other such vague directory with vague permissions) and have it modifiable possibly by anyone. Why? Because it will run as root (e.g. during boot time, via described launchd plist). If you, or Safari (or whatever) running as user, or anyone can arbitrarily write commands to such a script, then that anything can run as root upon execution of the script. Game over, if you'd like. A daemon script like the one described in this hint, running sysctl and ipfw (or whatever) with root permissions, should itself be modifiable only by root.

REF: tn2083.html

[ Reply to This | # ]

10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Authored by: Brathahn on Mar 03, '08 02:28:26AM

Thanks guys! Having the ipfw_firewall.sh script in ~/bin was too lazy of me.... I tend to keep my scripts in one place to be able to edit them easily... so I've updated the .plist for launchd and the script is now sitting in /usr/local/sbin with root:wheel permissions...

And NO, I don't use my "blah" account for admin stuff. So it always goes like "su admin" and then "sudo -s"....


Thanks for all the feedback, unfortunately I don't check back too often and there's no option to receive email alerts if something gets added in a threat / topic started by me (or at least I didn't find the checkbox for it...)



[ Reply to This | # ]