Wednesday, 24 May 2017

PWD-based privilege separation

I am often tempted to try out a random github project with:

# mkdir random-repo
# cd random-repo
# git clone http://github.com/random-dude/random-repo .
# ./configure && make
[...]
# emacs hack-on-something.cc
# make
However that is naive from a security standpoint. Makefiles can do just about everything to your workstation, e.g. steal your e-banking credentials from .config/chrome. So, I want sandboxing. And I want it in a way that fuses nicely with the workflow above.

Basing sandbox activation on my shell current working directory seems to work quite nicely. Consider the following:

# id -nu
clefru
# echo $PWD
/home/clefru/devel
# pwdjail-mkdir random-repo
# cd random-repo
$ id -nu
random-repo
$ echo $HOME
/home/clefru/devel/random-repo
$ git clone http://github.com/random-dude/random-repo .
$ ./configure && make
[...]
$ cd ..
# echo $PWD
/home/clefru/devel
# id -nu
clefru
# emacs random-repo/src/file.cc
[...]
Notice:
  • I use pwdjail-mkdir instead of mkdir.
  • Entering a subdir beneath /home/clefru/devel/random-repo enters the sandbox
  • Leaving /home/clefru/devel/random-repo leaves the sandbox
In a nutshell, the sandbox concept gets fused with your working directory. I found this to fit nicely with my established working habits, that is chdir-ing into a project directory when doing work there. Let's look at how this works under the hood.

pwdjail-mkdir creates a sandbox user with its home directory set to the directory it has just created. My shell has a hook within chpwd, that when changing into a (sub-)directory of a sandbox user's home directory, the hook spawns a sub-shell via sudo for that sandbox user. The sub-shell also has a hook within chpwd that quits the sub-shell when the sandbox directory is left via another cd. Before quitting though, the sub-shell records the cd target directory and passes it to the outer shell. The outer shell, that is still hanging within its chpwd hook, grabs this target directory and chdirs into it. This completes the illusion that all of this is transparent.

To clean things up, I use pwdjail's version of rm -Ir named pwdjail-rm-Ir, which also removes the sandbox user. Sharing files between the sandbox user and the master user is done by setting a default ACL on the sandbox home directory. I still get mixed file owners if I happen to create files from within the sandbox and create files from the outside, but luckily with Posix ACLs I don't need an explicit step to fix permissions if the other users happens to access a file.

Grab the code from http://github.com/clefru/pwdjail, run pwdjail-setup and you are good to go. I tested this only with zsh, so make sure you have that installed.

Wednesday, 2 March 2016

Tool to enable Wifi sending for Sony's Alpha cameras

Sony's A6000 has a nice feature to allow it to push images via Wifi. The camera however only does so, if it has been paired with Sony's PlayMemories Windows software. That's a one time thing, also the pairing isn't really a pairing that's strongly enforced anywhere. It's just settings truncated GUID, that the camera will broadcast after connecting to the Wifi Hotspott.

One could just grab a Windows device and do the pairing, however I was curios to see if I can cut out this requirement. And I could! I added sony-guid-setter.c to falk0069's sony-pm-alt repository which crafts non-standard USB packages so that the camera thinks it's pairing with PlayMemories. How this is done is documented in the README.md of falk0069's repo.

Thursday, 14 August 2014

Native SSH relay

Google's Native SSH client for Chrome supports connecting to SSH via a websocket/HTTP protocol. I reverse engineered the protocol from the published source and wrote a NodeJS counterpart. This is useful if you don't want to expose your SSH port to the world, but want to hide it behind HTTP/Websockets, possibly using an additional authentication flow in front.

Thursday, 7 October 2010

Sandboxing Skype

I am in the unfortunate position to have read Silver Needle in the Skype up to PDF page 21, where a successful heap overflow attack makes skype drop to a shell. Since then I decided that I either have to stop using Skype or sandbox it. Since about a year I have been doing the latter, with some bumps in the road, as new versions of Skype needed more files and more sandboxing. However, it worked for me most of the time, and it is time to share the gory details with the world.

The sandbox script can be found at http://gist.github.com/615366, where you can also edit the script.You need to have PulseAudio server running and listening to TCP traffic so that sound can break out of the sandbox. Verify that you have:

load-module module-native-protocol-tcp
in your PulseAudio config. Please review the variable settings to ensure that it fits your setup (DIR,XAUTHORITY,PULSECOOKIE). The sandbox is created for the user invoking the script. This user must have sudo capabilities to call the script. Please note that I have not reviewed the script with respect to security, so do not supply it to untrusted users.

Happy sandboxing. (Thanks to geheimdienst@#haskell-blah for pointing me to gist.github.com)

Monday, 8 March 2010

Using Wave to collaborate on Latex documents

This blog post is a copy of a much nicer PDF version.

I found that Wave could be used as collaborative editor on Latex documents by using a modified export bot and a simple shell script. The exporty2 bot (living at exporty2@appspot.com) allows you to access a wave using access tokens instead of cookie based logins making it easier to fetch those waves using curl. Also the exporty2 bot allows you to export only the text of a Wave using the ``raw'' template.

The raw URL given by the exporty2 bot is pasted into the shell script below. It serves as master wave as it is the document that is latex-ed. Additionally it also lists other resources using the special %FETCHURL tag. These resources are pairs of local name and URL. Curl fetchs these resources and stores it under their local name before the shell scripts runs the usual combination of latex/bibtex/latex. I usually put those %FETCHURL tags below \documentclass.

#!/bin/sh

TITLE="wave-collaboration"
TOKEN=c64e13d340009da7
WAVEID="googlewave.com!w%252BlRomqcgHA"
URL="http://exporty2.appspot.com/export?waveId=$WAVEID&accesstoken=$TOKEN&template=raw"
curl -o $TITLE.tex $URL

DELIMITER="DELIMITER"
FETCHURL=$(grep %FETCHURL $TITLE.tex | sed -e "s/ /$DELIMITER/g")
for i in $FETCHURL
do
  URL=$(echo $i | awk -F$DELIMITER '{ print $3 }')
  FILENAME=$(echo $i | awk -F$DELIMITER '{ print $2 }')
  curl -z $FILENAME -o $FILENAME $URL
done
latex $TITLE.tex
bibtex $TITLE
latex $TITLE.tex
dvipdf $TITLE.dvi
The nice thing about the exporty bot is that it ignores any blips except the root blip. Thereby you could add replies to the latex document and have inline discussions that are automatically filtered from the export. Also the exporty bot ignores the first line of the wave, so you can name the Wave properly.

The PDF version of this blog post contains examples how to use external graphics and bibliography waves. You can also get the latex source of the PDF.