Comments (39)
Comment:
opensnitchd
will be a C++ daemon, running as root with the main logic. It'll fix this.
We're in 2017 now. There's little excuse to start new projects in C++ instead of Rust, especially if they're security critical.
from opensnitch.
jk, I'd love to have the time :(
from opensnitch.
I'll repost this here, just to have more feedback :)
Future Plan
opensnitchd
will be a C++ daemon, running as root with the main logic. It'll fix this.opensnitch-ui
python (?) UI running as normal user, getting the daemon messages. Will fix thisopensnitch-ruleman
python (?) UI for rule editing.
Questions
-
What is the best IPC method in this case? I mean, if the daemon just creates a unix socket readable and writable by any user, any third party malicious software could access it and simply
ACCEPT
every packet ... dbus? No idea how it works honestly. -
What's the best way in your opinion to keep all the involved/interested developers in sync and let them communicate without using github issues? Mailing list? Slack? Pigeons?
from opensnitch.
It's your project, you can do whatever you want with it of course, but in case it's at all helpful here are some possibly useful/interesting links:
from opensnitch.
guys I just created a private Telegram channel for devs, where can I send you guys the invitation link?
from opensnitch.
No, it's not. For now, I'd rather just have a devs-only private channel, we're not ready to have a public chan with thousands of ppl asking for support :P
from opensnitch.
I would highly suggest going with dbus for IPC. It comes with a fully fledged SASL implementation for authentication, it's present on all distros and in wide use.
Don't re-invent the wheel :)
from opensnitch.
Definitely no intention of reinventing the wheel, it's just a matter of choosing the right wheel and how to use it. 🙂
I was unaware that dbus provided the authentication we need. How does it avoid other [malicious] processes from messaging a certain interface?
from opensnitch.
@nmindz No, because if I'm user evilsocket
and I get infected with malware, the malware will run with my user, therefore with my group.
from opensnitch.
Why are we still talking about polkit? Once IPC and authentication are implemented (correctly), the UI env. will not matter as OpenSnitch will be able to have different clients/UIs in different technologies.
Let's stop this here, no need for polemics at this stage of developement.
from opensnitch.
Cheers everyone,
what is the state of this project? Is the separation still in planning. If so, I would be happy to support. 👍
from opensnitch.
@holderbaum The state is slow and steady. Neither me nor @evilsocket has not had much time to work on this recently but I think we are both motivated to do it when there is time.
I have been working towards this for some time and it's almost there.
Lots of things have been logically separated already and we are using a bit of poor-mans "IPC".
As you can see in https://github.com/evilsocket/opensnitch/tree/master/opensnitch/ui all the ui code is now self-contained and separated.
The only place where this code is referenced outside of the ui directory is here: https://github.com/evilsocket/opensnitch/blob/master/opensnitch/snitch.py#L88
And here is our poor-mans IPC https://github.com/evilsocket/opensnitch/blob/master/opensnitch/ui/app.py#L46 https://github.com/evilsocket/opensnitch/blob/master/opensnitch/ui/dialog.py#L177
Here is what we need to do to get there:
We need to get things running as a non-root user to use the dbus session bus.
Using the System Bus is out of the question for now since it needs to be provided by a .service file on systemd based distros (which is great for us since it solves the issue of some malware impersonating opensnitch).
This would seriously hinder any development.
I was trying to use http://man7.org/linux/man-pages/man1/capsh.1.html to accomplish this but could not get it to work properly. If someone is more successful than me with this tool I think that is the ideal solution.
In the meantime I have started implementing a ctypes based capability interface.
If anyone else feels like they have more time than me with this here are the caps we need to run:
cap_net_raw,cap_dac_override,cap_net_admin
.
After that it's "just" a matter of switching out these hacks with futures and Qt signals for dbus messages.
This should give you a pretty good image of where we are currently.
Sorry for the wall of text :)
from opensnitch.
There has been some solid progress in https://github.com/evilsocket/opensnitch/tree/dbus-ipc \o/
Things are mostly working though not thoroughly tested yet.
There are some minor remaining issues to iron out like implementing more error handling, transparently reconnect the ui in case the daemon gets restarted and so on.
#65 has also been fixed in that branch :)
from opensnitch.
Isn't this pretty much what Polkit is for?
See also https://news.ycombinator.com/item?id=14252265
from opensnitch.
@voltagex Polkit is also for running GUI apps as root, this is what being advocated against here. Privilege separation is probably the cleanest approach.
from opensnitch.
In response to your questions:
-
Probably making the socket writable by a group, and then users that are allowed to control the daemon should be members of that group. That doesn't exclude malicious apps though, but I can't think of anything. This'll probably require some research.
-
GitHub issues tends to work the best for projects of this size and age (a mailing list is a bit unfriendly to sum, and you might keep people off by it, TBH). Pidgeons won't scale if you have remote developers. 😛
from opensnitch.
@hobarrera Mmmm, about 1, from the bottom of my deep ignorance about UI and IPC on GNU/Linux, I was thinking about something like:
- Daemon runs a websocket (or similar streaming protocol) server with authentication on a unix socket.
- Authentication token/credentials are globally stored inside
/etc/opensnitch/auth.conf
or whatever. - On first run, UI will ask the user for such credentials and use that to authenticate towards the daemon.
from opensnitch.
On first run, UI will ask the user for such credentials and use that to authenticate towards the daemon.
How will the app store this? Or more importantly: what prevent malicious apps from reading what is stored?
A second, interesting, approach, is that the UI has a dedicated user, and installed as setuid
. Probably worth some thought, but I might be missing something too.
from opensnitch.
How will the app store this? Or more importantly: what prevent malicious apps from reading what is stored?
Very good point, secure IPC is a bitch :P
A second, interesting, approach, is that the UI has a dedicated user, and installed as setuid. Probably worth some thought, but I might be missing something too.
Dunno, it might cause troubles for packaging and cross distribution compatibility :S
from opensnitch.
Definitely (on both items). Packaging would need to be delicately documented in case that's actually a viable route.
from opensnitch.
Is this channel open to anyone? If so, you can include a link in the README as well. :)
from opensnitch.
DBus will also make it far easier to integrate it into various DEs (e.g. SNI-based systray), communicate with NetworkManager and/or systemd-networkd, have other people/tools interact with opensnitchd, etc.
from opensnitch.
While it doesn't give you a solution to the authentication problem if you were of thinking of using an RPC-style interface, you may find Cap'n Proto to be useful. There's apparently a python implementation at https://jparyani.github.io/pycapnp/ and general documentation at https://capnproto.org/index.html
from opensnitch.
@samis I'm not concerned about the protocol, that can be websockets, protobufs over tcp, whatever ... I'm concerned about security, let me explain:
Scenario:
- OpenSnitch is running on /var/path/to/unix.socket which has to be readable by every user (because you don't know which one will start the X session).
- Computer gets infected.
- Malware kills UI, attaches to /var/path/to/unix.socket always responding
allow:*
. - Malware talks with C&C server.
- Game Over
from opensnitch.
Bonus:
- Malware exploits that socket to gather EoP using OpenSnitch daemon.
:D
from opensnitch.
IDEA:
Maybe the UI could be signed somehow, with random keys generated during first boot, daemon keeps private key as root (thus protected from users) and verifies whoever connects to the unix socket ... i honestly don't know if this would work ...
from opensnitch.
@evilsocket From your first bullet on the scenario description...
Wouldn't using Polkit and leaving the socket readable only to members of a specific group work and be enough to block alien processes or malware to read it without elevating privileges first?
from opensnitch.
Think to simple yet effective phishing scenarios like: someone sends you a .desktop
file disguised for god-knows-what with command execution inside and comm. to CnC
from opensnitch.
For now, the only solution is to have a dedicated user for the UI, and make the UI setuid
. Then, make the socket-or-whatever writable by that user only.
from opensnitch.
Mmmm like, I don't know Rust and have no willing to learn it in the short term future?
from opensnitch.
Think to simple yet effective phishing scenarios like: someone sends you a
.desktop
file disguised for god-knows-what with command execution inside and comm. to CnC
That's one of the points of polkit where system-provided policies define what gets executed, whether it requires interactive confirmation/authorization/password input etc.
from opensnitch.
Just read the wikipedia page for polkit, and that made it a bit clearer for me.
So, the flow would be:
- User gets a popup (accept/deny).
- User clicks yes
- polkit jump up and prompts the user for credentials.
- polkit allows communicating with the daemon and sending the approval
Right?
from opensnitch.
Do you have an example of a desktop application that uses polkit? Nothing in my system that requires it seems to prompt for any permissions under any scenario.
- colord
- gconf
- lib32-polkit
- modemmanager
- polkit-qt5
- rtkit
- udisks2
I also wonder a bit how polkit shows the dialog for prompting the password. Does the lib depend on gtk or something? Are developers responsible for that prompt?
from opensnitch.
I also wonder a bit how polkit shows the dialog for prompting the password. Does the lib depend on gtk or something? Are developers responsible for that prompt?
The desktop environment is responsible for providing a corresponding agent.
from opensnitch.
@eliasp Also, not a fan of having to run a second daemon for the opensnitch UI to work (my desktop doesn't have any such agent).
@evilsocket I just wanted to really confirm that we didn't have a better alternative to what we picked. :)
from opensnitch.
something like that ? https://github.com/subgraph/fw-daemon
from opensnitch.
Hey! I'd love to know how did you solve the problem of a malicious application communicating with the daemon (and accepting every package). Thanks!
from opensnitch.
I did not, the software is simply not done to cover that scenario, if the machine is already compromised, a process running with the same privilege of the UI can just hijack it / kill it / you name it ... this is partially solved by the daemon having its rules indipendently and running as root, but for connections that do not match any of those rules, it'd have to ask the UI or, if the UI service is not running, it'd just allow that connection by default.
from opensnitch.
The solution would be to start both the daemon and the GUI from a common program that
- Generates a password that the daemon will use to authenticate the GUI
fork()-exec()
s to start the daemon and the GUI- The GUI will drop the root privileges immediately
- The GUI will authenticate itself using the shared password (either in every message, or simply at the very beginning if it's connection oriented)
Or, much better, instead of creating a parent starter (as described above), you can simply signal[0] the daemon to fork & exec the GUI, in a similar fashion. This would also allow the daemon to launch interactive prompts (like LittleSnitch).
Hope you'd find this useful. =)
[0]: Either through D-Bus, UNIX signals, a TCP server... whatever suits you best.
from opensnitch.
Related Issues (20)
- [Feature Request] Please add command line support
- Generates large number of error logs: `Error parsing rule Created date (it should be in RFC3339 format)` HOT 3
- SyntaxWarning: invalid escape sequence '\.' HOT 2
- Build error: verifying module: missing GOSUMDB (rpmbuild, GOPROXY)
- [Feature Request] Reject by default instead of Drop HOT 1
- nmap syn packages drop with enabled opensnitch without notification HOT 1
- [Feature Request] Explicitly state that forward slashes (/) cannot be used in a rule name
- [Feature Request] Remove use of deprecated notify2 package
- [Feature Request] Ahead-of-time DNS lookup for rules with domains
- [Feature Request] RegEx match domains and IPs from single list
- Setting List of domains/IPs doesn't work with remote GUI HOT 1
- [Feature Request] Filter forwarded traffic HOT 2
- opensnitch-ui default options not being saved HOT 3
- what could this be? HOT 1
- debian: do *not* install python3-grpcio 1.59.5-1 HOT 1
- netdiscover's network access not detected or blocked HOT 3
- Traffic not blocked if service not running HOT 5
- fonts readibility with Firefox Zoom not at 100%
- WebUI for OpenWRT integration HOT 1
- Ping is blocked HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensnitch.