Security: Best practices, apparmor, -L, -R, -U

Phooraalai phooraalai at googlemail.com
Tue Jan 7 15:30:53 CET 2014 

Hey List, Hey Guus,

I would now like to secure my tinc installation. From the man page I see
the following.

-L
I put EXTRA="-L" in /etc/default/tinc and tinc still works.

-R
Do I have to put libraries and device files under /etc/tinc/NETNAME to
build a functional chroot jail ?
Currently lsof reports these open resources for tincd:
lsof -p $( pgrep tincd ) -n
COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME
tincd   15136 root  cwd    DIR              252,0     4096       2 /
tincd   15136 root  rtd    DIR              252,0     4096       2 /
tincd   15136 root  txt    REG              252,0   143256  552711
/usr/sbin/tincd
tincd   15136 root  mem    REG              252,0    97144   32279
/lib/x86_64-linux-gnu/libresolv-2.17.so
tincd   15136 root  mem    REG              252,0    27048   32283
/lib/x86_64-linux-gnu/libnss_dns-2.17.so
tincd   15136 root  mem    REG              252,0    52160   32289
/lib/x86_64-linux-gnu/libnss_files-2.17.so
tincd   15136 root  mem    REG              252,0  1853400   32295
/lib/x86_64-linux-gnu/libc-2.17.so
tincd   15136 root  mem    REG              252,0    14664   32296
/lib/x86_64-linux-gnu/libdl-2.17.so
tincd   15136 root  mem    REG              252,0   133160   30517
/lib/x86_64-linux-gnu/liblzo2.so.2.0.0
tincd   15136 root  mem    REG              252,0   100728   30619
/lib/x86_64-linux-gnu/libz.so.1.2.8
tincd   15136 root  mem    REG              252,0  1934816   30731
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
tincd   15136 root  mem    REG              252,0   149312   32284
/lib/x86_64-linux-gnu/ld-2.17.so
tincd   15136 root    0u   CHR                1,3      0t0    1029 /dev/null
tincd   15136 root    1u   CHR                1,3      0t0    1029 /dev/null
tincd   15136 root    2u   CHR                1,3      0t0    1029 /dev/null
tincd   15136 root    3u  unix 0xffff8800c1d35180      0t0 1316446 socket
tincd   15136 root    4u   CHR             10,200      0t0    1170
/dev/net/tun
tincd   15136 root    5u  IPv4            1315534      0t0     TCP *:PPP
(LISTEN)
tincd   15136 root    6u  IPv4            1315535      0t0     UDP *:PPP
tincd   15136 root    7u  IPv6            1315536      0t0     TCP *:PPP
(LISTEN)
tincd   15136 root    8u  IPv6            1315537      0t0     UDP *:PPP
tincd   15136 root    9u  IPv4            1315541      0t0     TCP
XX.XX.XX.XX:PP->XX.XX.XX.XX:PP (ESTABLISHED)
tincd   15136 root   10u  IPv4            1315542      0t0     TCP
XX.XX.XX.XX:PP->XX.XX.XX.XX:PP (ESTABLISHED)
tincd   15136 root   11u  IPv4            1315543      0t0     TCP
XX.XX.XX.XX:PP->XX.XX.XX.XX:PP (ESTABLISHED)
tincd   15136 root   12u  IPv4            1315554      0t0     TCP
XX.XX.XX.XX:PP->XX.XX.XX.XX:PP (ESTABLISHED)

-U
Can I use user nobody or shall I better use an extra tincvpn user ?
Right now tinc is running as root

Apparmor ? Anybody got a profile ?

Or good ideas ?

BR
P.

More information about the tinc mailing list