1 Using Racoon with Privilege Separation 2 Tue Mar 25 16:37:09 MDT 2008 3 4 5Racoon can run in a chroot'd environment. When so instructed, it runs as two 6processes, one of which handles a small number of simple requests and runs as 7root in the full native filesystem, and another which runs as a less 8privileged user in a chroot'd environment and which handles all the other and 9very complex business of racoon. 10 11Because racoon does many complex things there are many opportunities for 12coding errors to lead to compromises and so this separation is important. If 13someone breaks into your system using racoon and you have enabled privilege 14separation, they will find themselves in a very limited environment and unable 15to do much damage. They may be able to alter the host's security associations 16or obtain the private keys stored on that system using file descriptors 17available to the unprivileged instance of racoon, and from there they will be 18able to alter security associations on other hosts in disruptive or dangerous 19ways if you have generate_policy enabled on those hosts. But that's because 20in its current form generate_policy is itself dangerous and requires that you 21trust anyone with the credentials to use it. 22 23They will also be able to execute any scripts you have placed in the scripts 24directory, although racoon will prevent them from mis-using the traditional 25environment variables PATH, LD_LIBRARY_PATH, and IFS. But if you have 26introduced vulnerabilities into your scripts you may want to re-visit them. 27The thing to watch for is blindly trusting the environment variables passed 28in by racoon - assume they could be set to anything by a malicious entity and 29check them for suitability before using them. 30 31All these possibilities are present when privilege separation is not enabled, 32and they are greatly reduced when it is enabled because the resources 33available to the attacker are less. 34 35***** 36 37The basic concept with racoon's privilege separation is that a minimal 38environment containing all the files racoon needs to operate - with the 39exception of private keys, scripts, and system-wide authentication services - 40is placed in a stripped-down copy of the original environment. The private 41keys and scripts are left in the original environment where only the 42privileged instance of racoon will have access to them. 43 44Here are basic instructions for setting up racoon to run with privilege 45separation: 46 47 48First, create a user/group for racoon to run under. For example, user:group 49ike:ike. The account should not have a usable password or real home 50directory, so copy the general format of another system-services type account 51such as 'daemon'. 52 53You already have files in, e.g. /usr/local/etc/racoon - perhaps racoon.conf, a 54certs directory containing certificates, a scripts directory, and other 55miscellaneous files such as welcome messages. Perform the following steps: 56 57cd /usr/local/etc/racoon 58mkdir root 59mv certs root 60mkdir certs 61mv root/certs/*.key certs 62 63If you want to be able to switch back and forth between using and not using 64privsep, do this too: 65 66cd /usr/local/etc/racoon/certs 67for i in ../root/certs/* 68do 69 ln -s $i . 70done 71 72Now root/certs contains certificates and certs contains the keys. The idea is 73that the public certificates are in the chroot'd area 74(/usr/local/etc/racoon/root) and the keys are available only to the privileged 75instance of racoon. 76 77Move any other racoon configuration data into /usr/local/etc/racoon/root, 78with the exception of the scripts directory and racoon.conf. 79 80All the files in /usr/local/etc/racoon/root should be owned by root and the 81ike:ike user you created should not have write access to any directories or 82files (unless you are using something like 'path backupsa', but you get the 83idea). 84 85Create the device nodes: 86 87mkdir root/dev 88 89Do whatever your OS requires to populate the new dev directory with a 90minimal set of devices, e.g. mknod, MAKEDEV, or mount devfs... In freebsd 91this is done by adding a line to /etc/fstab: 92 93devfs /usr/local/etc/racoon/root/dev devfs rw 0 0 94 95and then adding a line like this to /etc/rc.conf: 96 97devfs_set_rulesets="/usr/local/etc/racoon/root/dev=devfsrules_basic" 98 99and then adding the following lines to /etc/devfs.rules: 100 101[devfsrules_basic=10] 102add include $devfsrules_hide_all 103add include $devfsrules_unhide_basic 104 105and then either rebooting or entering "mount -a && /etc/rc.d/devfs start". 106 107When done with that: 108 109mkdir -p root/usr/local/etc 110ln -s ../../../ root/usr/local/etc/racoon 111 112This dummy hierarchy keeps the config file consistent between both copies of 113racoon. Of course, you could actually put the certs directory and any other 114configuration data down in the hierarchy but I prefer to leave it at the root 115and link to it as shown. You may end up with something like this: 116 117root# ls -FC /usr/local/etc/racoon/root 118certs/ dev/ usr/ 119 120root# ls -l /usr/local/etc/racoon/root/usr/local/etc 121lrwxr-xr-x 1 root wheel 9 Mar 7 22:13 racoon -> ../../../ 122 123root# ls -FC /usr/local/etc/racoon/root/usr/local/etc/racoon/ 124certs/ dev/ usr/ 125 126Presumably your racoon.conf already contains something like: 127 128path certificate "/usr/local/etc/racoon/certs"; 129path script "/usr/local/etc/racoon/scripts"; 130 131If so, great. If not, add them. Then, finally, add the privsep section: 132 133privsep { 134 user "ike"; 135 group "ike"; 136 chroot "/usr/local/etc/racoon/root"; 137} 138 139Apply the patches posted to the list and rebuild racoon (the patches will be 140incorporated into the release subsequent to the date of this memo, so if you 141use that or a later release you can skip this step). 142 143Restart racoon and hopefully things will work. As of the date of this memo, 144re-loading the configuration file with racoonctl will not work with privsep 145enabled. However, the problem is not insurmountable and if you figure it out 146let us know. 147 148I have not tested privsep with many of racoon's features such as XAUTH or 149scripts, so if you have trouble with them and work anything out please reply 150to the list so that your discoveries may be incorporated into this document. 151 152Last modified: $Date: 2008/03/28 04:18:52 $ 153