SunOS 4.1 secure C library package Written by William LeFebvre, EECS Department, Northwestern University. Internet address: phil@eecs.nwu.edu Code for reading the configuration file, along with a few important patches, was provided by Sam Horrocks of UCI (sam@ics.uci.edu). OVERVIEW: This package contains replacement routines for these three kernel calls: accept, recvfrom, recvmsg. These replacements are compatible with the originals, with the additional functionality that they check the Internet address of the machine initiating the connection to make sure that it is "allowed" to connect. Once compiled, these can be used when building a new shared libc. The resulting libc.so can then be put in a special place. Any program that should be protected can then be started with an alternate LD_LIBRARY_PATH. What you need: SunOS version 4.1, 4.1.1, or 4.1.2 (or 4.1.3 if there ever is one), installation of the "shared library" option, root access. SunOS 5 (Solaris 2.0) users are on your own. I have no idea if this will work with version 5 or its successors. You can see if your machine has the shared library option installed by looking for the directory "/usr/lib/shlib.etc". If it is not installed, then you will need to extract it from the distribution tapes (Sun-factory installed machines will NOT have it installed). Do you need to use this? If you can answer all of these questions with "yes", then this package will benefit you: Are you connected to the Internet (even via a local or regional network)? Do all of the routers/gateways between your machine and the "rest of the world" route all packets regardless of protocol or port number? Are you concerned about the fact that any user on any system anywhere on the Internet can connect to any network daemon that runs on your machine, including ypserv and pwdauthd? AVAILABILITY: The latest version of securelib is available via anonymous FTP from the host "eecs.nwu.edu". It is stored in the file "pub/securelib.tar". Remember to use the "binary" transfer mode! DETAILS: Each modified system call has the same basic algorithm: { int retval; if ((retval = syscall(...)) >= 0) { if (_ok_address(socket, addr, *addrlen)) { return (retval); } close(retval); /* this line: "accept" only */ errno = ECONNREFUSED; return (-1); } return (retval); } Connections that are established from a host that is not "okay" will be closed (if established via "accept"), then errno will be set to ECONNREFUSED and the calling application will get an error indication back from its system call. It is assumed that the application will deal with such an error in an intelligent fashion. All Sun daemons that we have tried seem to handle this correctly: they merely do the system call again. The application will only see success for machines that "_ok_address" says are acceptable. All other connections look like failures. The function "_ok_address" reads a configuration file (normally "/etc/securelib.conf" or "/etc/security/securelib.conf") which describes what Internet address are acceptable. CONFIGURATION FILE: The configuration file (usually /etc/securelib.conf) is read by every process using securelib to find out which hosts are allowed to make connections. Every hour, the config file is stat'ed to see if it has changed. If it has, the file is re-read. The first column in the file is the name of the process to which this line applies. If this name is "all" then this line will apply to all processes using securlib on this host. Otherwise, this name is checked against the environment variable "SL_NAME" to see if that's a match. If it does match, then the line is taken to apply to the current process. The mask field (the last field on each line) is a set of bits which are taken out of the source host's address before further comparison. These are bits in the address which can be ignored. The address field (the second field on each line) is the address which the source host's address must match in order for a connection to be successful. The source address is only compared to this address after the bits specified by the mask field have been cancelled out. For example, the line: all 128.199.0.0 0.0.255.255 would apply to all programs using securelib and would allow connections from hosts whose address start with 128.199. A host is allowed to connect if *any* of the lines in the config file, which apply to that process, give it access. There is no way to specify a "deny" line which would cause unconditional rejection of certain addresses. STARTING A SECURELIB PROCESS: "make install" will install both the "start" script and the securelib shared library in the destination specified in Makefile (usually "/usr/lib/secure"). To start a process using securelib, use the command: /usr/lib/secure/start This will pass the correct "SL_NAME" environment variable to the program and will set the correct LD_LIBRARY_PATH so that the program uses securelib. SPECIAL NOTE TO SunOS 4.1.2 USERS: There is essentially a bug in /usr/etc/shlib.etc/Makefile. The line immediately following "libc.so:" looks like this: ld -assert pure-text `${OBJSORT} lorder-sparc tmp` It should look like this: ld -assert pure-text `${OBJSORT} lorder-sparc tmp` -ldl Although I have not actually tested securelib on a 4.1.2 system, I am fairly certain that you will need to make this change before securelib will compile and link successfully under 4.1.2. INSTALLATION: Create a file called "securelib.conf" in the source directory, using the file "securelib.conf.ex" as an example. Be sure to tailor this file to your site's needs. You should also make sure that you include a rule for the loopback network: all 127.0.0.0 0.255.255.255 Edit the Makefile and make changes as appropriate to the definitions of SHLIB, DESTDIR, and CONFFILE. SHLIB defines the location of Sun's shlib.etc directory as extracted from the installation tape. This will almost certainly be "/usr/lib/shlib.etc". DESTDIR is the directory in which you want the secure library (libc.so.X.X.X) and the "start" shell script installed. CONFFILE is the full name of the installed configuration file. The Makefile will set compile-time constants indicating the location of the configuration file, and it will also install "securelib.conf" from the current directory as the name specified by CONFFILE in the "make install" step. The process of buliding the new shared library uses the Makefile in /usr/lib/shlib.etc. Unfortunately, this Makefile assumes that "." is on your path. Make sure that this is the case or the make will fail with a message like "objsort: not found". Once you have made these changes, type "make install" and everything should go smoothly. Typing just "make" will build the new library in the SHLIB directory, but it will not install it. CHOOSING APPROPRIATE LOCATIONS: Two good places for securelib.conf are "/etc" and "/etc/security". The advantage of placing it in "/etc/security" is that non-root users will not be able to determine which Internet addresses are accepted by the sensitive daemons. This is an extra measure of security, similar to protecting /.rhosts. However, the disadvantage is that use of the secure shared library is then restricted to only root processes (since only root can read the configuration file). If you need non-root processes to use securelib, or if you do not feel a need to protect the information in the configuration file, then place the file in "/etc". The location of the library itself is typically "/usr/lib/secure". There is no reasonable place to put the library in the Sun file system heirarchy, so I just invented a new directory. REPLACING OR SUPERCEDING THE EXISTING libc LIBRARY IS NOT RECOMMENDED!!! The intent of this package is to provide an alternate libc that can be used only on selected server processes (usually servers that are started at boot time). The alternate library is selected by setting LD_LIBRARY_PATH before starting the server. USING THE ALTERNATE LIBRARY: Now decide which servers you want to protect. I personally have chosen portmap, rpc.pwdauthd, ypserv, and rpc.yppasswdd. Another possibility is nfsd, but remember that each packet received by nfsd must be verified by "_ok_address". This may have a noticeable impact on nfs performance. Modify /etc/rc.local so that it starts the daemon with the "start" script. What I have done locally is put some code at the very beginning of rc.local to determine if the secure library is available on the system and set an environment variable accordingly: SECURE="" if [ -x /usr/lib/secure/start ]; then SECURE="/usr/lib/secure/start" fi Now any daemon which I want to protect is started with a line like this: $SECURE portmap; echo 'starting rpc port mapper.' If the shell script does not exist on the machine being booted, then SECURE will be null and "$SECURE portmap" will expand to merely "portmap". NOTE TO CUSTOM SHARED LIBRARY BUILDERS: If you have already built a customized shared library, for example if you have built a shared library with alternate gethost* routines for name resolution, you can still use this package. Just make sure that before you type "make", the object files for your alternate library are already in place in SHLIB/tmp. If the "tmp" subdirectory already exists, then this package will not recreate it or re-extract libc_pic.a. However, it WILL overwrite tmp/accept.o, tmp/recvfrom.o, and tmp/recvmsg.o. And it will add a line to lorder-sparc (after saving the original in lorder-sparc.orig). DISCLAIMERS: IMPORTANT NOTE: THIS LIBRARY DOES NOT GUARANTEE THAT YOUR MACHINE IS SECURE!!! This library enhances security---it does not guarantee it. It can be used to plug several known security holes on machines running SunOS 4.1 and 4.1.x. NO WARRANTY: BECAUSE "securelib" IS DISTRIBUTED FREE OF CHARGE, THERE IS ABSOLUTELY NO WARRANTY PROVIDED, TO THE EXTENT PERMITTED BY APPLICABLE STATE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING, NORTHWESTERN UNIVERSITY, WILLIAM N. LeFEBVRE AND/OR OTHER PARTIES PROVIDE "securelib" "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE "securelib" PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT WILL NORTHWESTERN UNIVERSITY, WILLIAM N. LeFEBVRE, AND/OR ANY OTHER PARTY WHO MAY MODIFY AND REDISTRIBUTE "securelib", BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY LOST PROFITS, LOST MONIES, OR OTHER SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH OTHER PROGRAMS) THE PROGRAM, EVEN IF YOU HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY.