|
Lines 969-974
Link Here
|
| 969 |
# return |
969 |
# return |
| 970 |
# exit |
970 |
# exit |
| 971 |
</verb> |
971 |
</verb> |
| 972 |
|
972 |
|
|
|
973 |
<sect1> |
| 974 |
<heading>What is a sandbox?</heading> |
| 975 |
|
| 976 |
<p>"Sandbox" is a security term. It can mean two things: |
| 977 |
|
| 978 |
<itemize> |
| 979 |
<item> |
| 980 |
<p>A process which is placed inside a set of virtual walls |
| 981 |
that are designed to prevent someone who breaks into the |
| 982 |
process from being able to break into the wider system. |
| 983 |
|
| 984 |
<p>The process is said to be able to "play" inside the |
| 985 |
walls. That is, nothing the process does in regards to |
| 986 |
executing code is supposed to be able to breech the walls |
| 987 |
so you do not have to do a detailed audit of its code to |
| 988 |
be able to say certain things about its security. |
| 989 |
|
| 990 |
<p>The walls might be a userid, for example. This is the |
| 991 |
definition used in the security and named man pages. |
| 992 |
|
| 993 |
<p>Take the 'ntalk' service, for example (see |
| 994 |
/etc/inetd.conf). This service used to run as userid |
| 995 |
root. Now it runs as userid tty. The tty user is a |
| 996 |
sandbox desiegned to make it more difficult for someone |
| 997 |
who has successfully hacked into the system via ntalk from |
| 998 |
being able to hack beyond that user id. |
| 999 |
</item> |
| 1000 |
|
| 1001 |
<item> |
| 1002 |
<p>A process which is placed inside a simulation of the |
| 1003 |
machine. This is more hard-core. Basically it means that |
| 1004 |
someone who is able to break into the process may believe |
| 1005 |
that he can break into the wider machine but is, in fact, |
| 1006 |
only breaking into a simulation of that machine and not |
| 1007 |
modifying any real data. |
| 1008 |
|
| 1009 |
<p>The most common way to accomplish this is to build a |
| 1010 |
simulated environment in a subdirectory and then run the |
| 1011 |
processes in that directory chroot'd (i.e. "/" for that |
| 1012 |
process is this directory, not the real "/" of the |
| 1013 |
system). |
| 1014 |
|
| 1015 |
<p>Another common use is to mount an underlying filesystem |
| 1016 |
read-only and then create a filesystem layer on top of it |
| 1017 |
that gives a process a seemingly writeable view into that |
| 1018 |
filesystem. The process may believe it is able to write |
| 1019 |
to those files, but only the process sees the effects |
| 1020 |
‐ other processes in the system do not, necessarily. |
| 1021 |
|
| 1022 |
<p>An attempt is made to make this sort of sandbox so |
| 1023 |
transparent that the user (or hacker) does not realize |
| 1024 |
that he is sitting in it. |
| 1025 |
</item> |
| 1026 |
</itemize> |
| 1027 |
|
| 1028 |
<p>UNIX implements two core sanboxes. One is at the process |
| 1029 |
level, and one is at the userid level. |
| 1030 |
|
| 1031 |
<p>Every UNIX process is completely firewalled off from every |
| 1032 |
other UNIX process. One process can modify the address space |
| 1033 |
of another. This is unlike Windows where a process can easily |
| 1034 |
overwrite the address space of any other, leading to a crash. |
| 1035 |
|
| 1036 |
<p>A UNIX process is owned by a patricular userid. If the |
| 1037 |
userid is not the root user, it serves to firewall the process |
| 1038 |
off from processes owned by other users. The userid is also |
| 1039 |
used to firewall off on-disk data. |
| 1040 |
|
| 973 |
</sect> |
1041 |
</sect> |