|Colman Reilly||Jul 5, 1997 3:43 am|
|Adam Shostack||Jul 5, 1997 8:17 am|
|Colman Reilly||Jul 5, 1997 2:33 pm|
|Jordan K. Hubbard||Jul 5, 1997 4:47 pm|
|Christopher Petrilli||Jul 6, 1997 11:27 am|
|Jonathan M. Bresler||Jul 6, 1997 2:50 pm|
|Brian Mitchell||Jul 6, 1997 3:20 pm|
|Jonathan M. Bresler||Jul 6, 1997 5:13 pm|
|Colman Reilly||Jul 7, 1997 1:45 am|
|Duane H. Hesser||Jul 7, 1997 7:48 am|
|Robert N Watson||Jul 7, 1997 10:08 am|
|Brian Mitchell||Jul 7, 1997 10:58 am|
|Adam Shostack||Jul 7, 1997 11:03 am|
|Sean Eric Fagan||Jul 7, 1997 11:37 am|
|Robert N Watson||Jul 7, 1997 11:46 am|
|Jonathan M. Bresler||Jul 7, 1997 11:53 am|
|Robert Watson||Jul 7, 1997 1:04 pm|
|Kenneth Stailey||Jul 7, 1997 1:05 pm|
|Brian Mitchell||Jul 7, 1997 1:38 pm|
|pro...@suburbia.net||Jul 7, 1997 2:29 pm|
|Jim Shankland||Jul 7, 1997 3:46 pm|
|Daniel O'Callaghan||Jul 7, 1997 4:20 pm|
|Mark Newton||Jul 7, 1997 4:47 pm|
|Adam Shostack||Jul 7, 1997 5:58 pm|
|Adam Shostack||Jul 7, 1997 6:09 pm|
|Poul-Henning Kamp||Jul 7, 1997 11:10 pm|
|Robert Watson||Jul 8, 1997 8:45 am|
|Robert Watson||Jul 8, 1997 8:58 am|
|Colman Reilly||Jul 8, 1997 12:33 pm|
|Ollivier Robert||Jul 8, 1997 1:20 pm|
|George Robbins||Jul 8, 1997 1:59 pm|
|Mark Newton||Jul 8, 1997 5:29 pm|
|Robert Watson||Jul 9, 1997 9:09 am|
|Eivind Eklund||Jul 9, 1997 9:57 am|
|David Holland||Jul 9, 1997 3:09 pm|
|Wes Peters||Jul 9, 1997 10:07 pm|
|Subject:||Re: Security Model/Target for FreeBSD or 4.4?|
|From:||Adam Shostack (ad...@homeport.org)|
|Date:||Jul 7, 1997 11:03:25 am|
I brough up the idea of doing this on the openbsd list. We agreed that there wasn't a clean way to do it. I'm experimenting with ways of doing it, leaning towords a sysctl controlled list of port, gid pairs. I don't know of anyone who has implemented it.
The overhead should be pretty minimal.
I chose not to depend on files, which is ugly, but not so ugly as having the kernel depend on files during startup.
The other thought that has occured to me, but I expect it to be more expensive, is to use a packet filter with NAT capabilities to translate port bindings to high numbers for appropriate daemons. Since this has a per packet hit, I expect it to be very expensive on an ongoing basis.
Robert N Watson wrote:
| I've heard that OpenBSD now has a feature to allow non-root users to bind | to <1024 ports. It would be nice to see something similar to that under | FreeBSD -- half the daemons (not a verified figure) that run as root | probably don't need root access, except to bind to the port (named, | sendmail, web servers, etc.) I believe the OpenBSD implementation just | gives this access to the daemon user (or something to that extent? Would | love details), but perhaps we could go for something a little more | sophisticated if it doesn't up the overhead too much on the kernel? A | limited list of (port, user) (say a max of 64, except as configured in the | kernel), and if the bind() call matches this for TCP, allow the program to | bind, for example. An appropriate root-owned file (/etc/rc.conf?) could | define those permissions in an ipfirewall-style setup, running early in | the rc sequence.
| This would potentially open up more holes as extra configuration files | have to be monitored, and add more overhead on bind() calls, not to | mention adding a configuration mechanism, but not suffering from the | numerous problems involving daemons running as root (without having to | rewrite all the daemons) would be nice. Even the single-user | unconfigurable approach (root and daemon can bind) would be better than | nothing. | | Just a thought.. | | Robert Watson |
-- He has erected a multitude of new offices, and sent hither swarms of officers to harrass our people, and eat out their substance.