Download Shareware and Freeware Software for Windows, Linux, Macintosh, PDA

line Home  |  About Us  |  Link To Us  |  FAQ  |  Contact

Serving Software Downloads in 976 Categories, Downloaded 30.066.958 Times

stephanie 3.0

  Date Added: October 22, 2010  |  Visits: 811

stephanie

Report Broken Link
Printer Friendly Version


Product Homepage
Download (78 downloads)

stephanie is a program for hardening OpenBSD for multiuser environments. Mmmmm, OpenBSD. Functional, secure, free. With an emphasis on security and integrated cryptography, it carries an excellent reputation for plain old "you-just-cant-hack-this-ness". Not perfect, but nothing is, at least theyre not wearing suits and lying to you. There are a few roles where i believe OpenBSD fits perfectly. One of these is in multiuser environments, where you have large numbers of possibly malicious users with local access. Here the OpenBSD teams commitment to auditing and fixing code provides a level trust in the environment which is hard to find elsewhere. Also, their efforts to provide integrated cryptography means setting up secure access is easy. So, lets take advantage of the freely available source and tailor it to our specific needs. Details: In Phrack 54, route|Mike Schiffman wrote a series of patches for OpenBSD 2.4 for Trusted Path Execution (TPE). Stephanie brings a modified version of these up to speed for OpenBSD 2.8 - 3.0, along with some additional features. A trusted path is one where the parent directory is owned by root and is neither group or other writeable. The TPE works off an internal list of trusted user ids. If a given user tries to execute a file not in a trusted path, and their user id is not in the kernels trusted list, they are denied execution privileges. In real terms, this means they cant download, compile and run krad-sploit.c. In addition to the TPE, a series of privacy patches came along too. Originally supplied as patches for the individual utilities, these are now implemented through kvm(3), and honour trusted users (ie, trusted users are allowed to see all system information). As a practical example, this means that untrusted users will only be able to see information about processes they own, and the stat tools (netstat, iostat, vmstat, etc) will generally be broken for them. It has been pointed out that by going through trying to kill every possible process id you can find other users processes, but you cant really gain any information on them, so this is not really a great concern. The original TPE patches had one known way of bypassing the execution restrictions, which was using shell redirection to allow arbitrary interpreted language scripts to be run (perl, sh, etc). This has been fixed up, but could possibly be a big pain in the ass, so please pay attention. When an interpreter is invoked, like most things, it creates a new process group with a job count of one. When a series of commands are connected via the | character on the command line, all the commands belong to the same process group and the job count represents the number of commands eg ps -ax | grep something | awk {print $1} has a job count of three, and the ps, grep and awk processes all belong to the same process group. The one exception to this is when a user logs in, where we find their shell has its job count set to zero. So how can we use this to prevent shell redirection for a given set of programs? We need to be able to distinguish between ordinary commands and interpreters. At the moment this is done by setting the immutable flag on them. So, in kern_exec(), if we find an untrusted user executing something with the immutable flag set and a job count greater than zero, we flag the process as being potentially dodgy. Then in other system calls we disallow read()ing from fd 0 (stdin) and things like dup2(0, n) if the process has been flagged. There are two main disadvantages to this. First is the system will need to be brought down to single user mode if the interpreter needs to be patched, and secondly, people will have a hard time suing to an untrusted user. Of course, when a user has shell, they can still type any commands that could otherwise be placed in a shell script, but at the least, this will raise the bar a bit. Finally, Stephanie brings restricted symbolic links, ala the openwall patches for linux. As time permits, im still working on adding additional features, and will add bits of the openwall stuff i like. The basic goal is to add an extra layer of security without being a monumental pain in the ass to legitimate users, so some things wont be there. I havent added the additional hard link restrictions of the openwall patch, but will do something about this later as time permits. Installing: Step by step instructions are presented in the install guide which comes with the source. Read it all first, but its reasonably straight forward. It would be a good idea to read the original article (local copy) if you havent already. Its distributed under the original two clause BSD license, mess with it all you want, but dont get cranky at me if it breaks something. You can also read the tpe_adm(8) man page online..

Requirements: No special requirements
Platforms: Linux
Keyword: Job Miscellaneous Openbsd Process Security Stephanie Tpe Trusted User Users
Users rating: 0/10

License: Freeware Size: 14.34 KB
STEPHANIE RELATED
File Security  -  WinUtilities Process Security 1.232
WinUtilities Process Security is a powerful Task Manager shows all active processes on your computer. You can easily recognize the endangering potential of each process. No other Task Manager or Process Viewer has this feature. Furthermore you can...
1.56 MB  
Database Tools  -  PersonalDB 0.90
PersonalDB is background process that provides access for multiple users to individual SQL databases. The SQL database provides a central internet accessible datastore for a variety of applications. In particular, the database can be used as a...
133.12 KB  
Utilities  -  Zombie Workstation 0.1
Improve network security by automatically logging off users that forget to log out and save money and the environment by automatically shutting down computers after hours.
930 KB  
Virus Removers  -  AVG Anti-Spyware Free 7.5.0.50
Our simple, easy-to-use solutions have made AVG one of the most well-known names in Internet security for home and business users with comprehensive protection against viruses, spyware, spam, and Trojans. AVG Anti-Virus, Anti-Spyware and Firewall...
6.16 MB  
Virus Removers  -  Emsisoft Commandline Scanner 5.1.0.2
For system administrators, security experts, and experienced commandline users. Check your system for malware infection with the Commandline Scanner. It includes all functions of the Anti-Malware scanner and both the top scan engines (Emsisoft...
104 MB  
Communication Tools  -  VooDoo cIRCle 1. 1. 1940
VooDoo cIRCle is an IRC (ro)bot, scriptable, SSL support, FileSystem, BotNet, advanced security rights for each user. Under Windows, it can be run as Windows service, so it starts up when computer wakes up from restart. Also runs under *NIX....
16.6 MB  
Utilities  -  Securizant Linux Project 1.0.1
The Securizant Linux Project aims to develop a linux distribution for the security-aware Linux power user. The focus will be to provide a small, core Linux distribution best suited for those who like to roll their own application software.
10.24 KB  
Productivity  -  3 Super Safe 1.10
***3 3G / 4G LTE *** 3 Super Safe ,),?33 Super Safe ,) 3 Super Safe : > ,,, > ,) > , : GPS Fixmo Inc. ***This service is only applicable for 3HK -...
16.6 MB  
Productivity  -  Law Enforcement Edition MobileCamViewer 1.6
This client is specifically made for Law Enforcement and Public Safety. The screens and menus are with dark color to support the covert operations of police, detectives, homeland security, and other security professional. PTZ control User...
1024 KB  
Reference  -  ECI Voters 1.0.0.0
Voters registration application can be used by Indian Citizens (Resident and Non Resident) to register themselves as a voter in the electoral roll and take part in the Indian electoral process. This application allows a user to submit the...
1024 KB  
NEW DOWNLOADS IN LINUX SOFTWARE, SECURITY TOOLS
Linux Software  -  Polling Autodialer Software 3.4
ICTBroadcast Auto Dialer software has a survey campaign for telephone surveys and polls. This auto dialer software automatically dials a list of numbers and asks them a set of questions that they can respond to, by using their telephone keypad....
488 B  
Linux Software  -  Total Video Converter Mac Free 3.5.5
Total Video Converter Mac Free developed by EffectMatrix Ltd is the official legal version of Total Video Converter which was a globally recognized brand since 2006. Total Video Converter Mac Free is a free but powerful all-in-one video...
17.7 MB  
Linux Software  -  Skeith mod_log_sql Analyzer 2.10beta2
Skeith is a php based front end for analyzing logs for Apache using mod_log_sql.
47.5 KB  
Linux Software  -  SLAX 6.0+
Slax is a modern, portable, small and fast Linux operating system with a modular approach and outstanding design. Despite its small size, Slax provides a wide collection of pre-installed software for daily use, including a well organized graphical...
190 KB  
Linux Software  -  GTK+ 2.5
GTK+, which stands for the GIMP Toolkit, is a library for creating graphical user interfaces for the X Window System. It is designed to be small, efficient, and flexible. GTK+ is written in C with a very object-oriented approach. Language bindings...
60 MB  
Security Tools  -  Free AntiSpyware 7.2.5
As powerful and professional anti-spyware software, Free AntiSpyware has ability to detect & stop the latest and most malicious programs that are doing harm to your computer and breaking your privacy. This free spyware remover software helps...
128.08 MB  
Security Tools  -  paraproxy 1.1
paraproxy is a supplement library for paramiko which adds support for SSH2 proxy commands. #md5=0c7041e8d2d7e49b09df526bba3efb28 #md5=1fbb4f888f40a01439ff27458c6210eb #md5=493c0f426e376427c30f3f39ebc8dac1
20.48 KB  
Security Tools  -  pam_smxs 1.6
pam_smxs is a PAM module that authenticates a user using challenge-response. All tokens that support ANSI X9.9 are currently supported and it provides full support for CryptoCard RB1 tokens.
522.24 KB  
Security Tools  -  DoudouLinux 2011-11
DoudouLinux [1] is a system specially designed for children to make computer use as easy and pleasant as possible for them (and for their parents too! [2]). DoudouLinux provides tens of applications that suit children from 2 to 12 years and tries...
964.17 MB  
Security Tools  -  django-auth-ldap 1.0.19
This authentication backend enables a Django project to authenticate against any LDAP server. To use it, add django_auth_ldap.backend.LDAPBackend to AUTHENTICATION_BACKENDS. It is not necessary to add django_auth_ldap to INSTALLED_APPLICATIONS...
30.72 KB