apparmor and /usr/bin/strings

[sigbj]

Thank You. I am aware of 'cat' functions and alike. - So the solution here is not to apply apparmor, but to keep a well constructed root-password, which I have, and there are nobody with access to suid or group or dangerous sticky-bits on my machines, and root is never logged in except for specific necessary task, and then logged out again immediately. That should then suffice, and in case of paranoia, I should get into runlevel 1 for root-tasks. - Else, Thanks to datenschutz.ch for good passwords tests.

Sincerely,
sigbj - Norway.

Originally Posted by ab@novell.com

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While strings is a neat tool and all who are you trying to keep from doing this? /dev/mem is not readable by anybody except root-like users by default to prevent security issues like this one, but with that said locking down one application like 'strings' won't completely protect /dev/mem indefinitely. For example if I'm a root-group member (or the root user( I can still 'cat' the entire same thing to a file, move it to a new system, and run strings there. Alternatively I could even copy the current system's 'strings' file to 'mystrings' to some other part of the filesystem and still run it directly against /dev/mem. If you do not trust somebody to have your WPA password then you should not give them 'root' in any way (user or group). Good luck. sigbj wrote: > With the command > > */usr/bin/strings /dev/mem | less* > > I am able to read my WPA-PSK password of my router in cleartext. > Strings can only be run as root. There is a security risk here. > Immunizing 'strings' with apparmor causes strings not to run as root > anymore (have tested it), but how is the correct set-up in the apparmor > here? I do not exactly know how to specifically put it on configuration. > Maybe it is as simple as the YaST does it, but to be sure.....? > > - SuSE Linux 10.0 and SLED10-SP2 on 2 machines. - > > Thanks, > sigbj. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - Enigmail: A simple interface for OpenPGP email security iQIcBAEBAgAGBQJJtDyEAAoJEF+XTK08PnB5UugP/2oDta3YQeJau/xve/b9v3Jh lxFhXvh6KRJaRGGO7XqHYC1ZJzqasC9ILvt2s4q4flogJZ1HcB H9zQ1twhFPi4wy NlQSYW5OvndYJrdcezSNa2TdAFay/89aHu9kW7laFTNXeGd/npAS86ucgmwfyMax N7iWf7kp0S+LqPVgXKRJae9W0jnSGsWdWHgGGP3K7ifDeKuMyu UpcJfDU81Q1V5H OeaE/KPEjq7H8VkRtSG0aNnh0UcS3BC74+IutWfcgKsisH+Gpj9bgai Y0NCOtCOO 2zCH+x+xCbEe6952D2QHaloyhL3c2DEyqhwksByCNWjkkumAYD s08hIu9Z3YpKjh szjqJlVJsqh5W+LQFtTf9w7WdG2BRFXf4LLzzt+chvqsVx7zhB rMLdxcfRl/Osr6 E1SZtf6muoWuzAhuxtr3bSdKxWWthAHd+hxKaC3DMLInW52eeE NCXepuStFfuDH0 1fvgn0JmGlTsnO2mMsChbXzzfYa1413N3TUTyqZFRU15XpzojZ JStF3GGwU6eMCb O7UayA91/cRGeDOp4URYZCVX9+oZnpucvK5cvLrCv9J7dSUru+QbHXD1ZeE K06tZ OyFQ+eCNCcErw215Mb6U0KMsXUlgvATGlU2WEiaK14L0Wg36sV XfTghNkbuOXkVs jA8nera2sU9BH02gLgVG =vPWN -----END PGP SIGNATURE-----