Date: Mon, 16 Nov 1998 22:27:16 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Warner Losh <imp@village.org>, Andre Albsmeier <andre.albsmeier@mchp.siemens.de>, Matthew Dillon <dillon@apollo.backplane.com>, freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Message-ID: <199811170627.WAA24375@apollo.backplane.com> References: <19981116081640.A2304@internal> <19981116072937.E969@internal> <19981115192224.A29686@internal> <19981115161548.A23869@internal> <199811151758.JAA15108@apollo.backplane.com> <19981115192224.A29686@internal> <199811152210.PAA01604@harmony.village.org> <19981116072937.E969@int <199811161842.LAA05020@harmony.village.org> <199811161941.LAA21747@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, here's a limited updated proposal. I've tested everything
except the proposed lpd changes.
This proposal covers three major daemons and moves 6 root or
suid root programs away from root. I think this is quite
significant.
(1)
Add a 'kmem' and 'tty' dummy user to master.passwd.
adjust inetd.conf to run identd and ntalkd using the new dummy
user's to sandbox the kmem and tty group rights required.
This also involves removing the getuid() test in talkd.c
(2)
Add a 'bind' user and a 'bind' group to master.passwd
Use bind-8's -u and -g features to run named as bind:bind
in the default rc.conf:
named_flags="-u bind -g bind"
(Or find a way to figure out whether this uid/gid exists
and use the options or not use the options based on that,
which is more compatible with prior installations but adds
complexity that will quickly become stale. I suggest simply
making it the default in the CVS tree).
Cavet: in a multi-interface situation, with an interface
that is brought up later, and so forth, named will not
be able to automatically rebind and must be restarted.
(Also ensure that named.conf is either group-bind-readable or
world readable).
However, I consider this a major, major improvement in
security. I think it's worth the hassle.
(3)
Add the 'lpd' user and 'lpd' group to master.passwd.
Fix lpd. lpd runs as root, and lpq and lprm are suid.
Have lpd bind and setuid()/setgid() itself, have
lpq and lprm be setuid() to the lpd user.
USER and GROUP ID's
I suggest:
uid 4 for user 'tty'
uid 5 for user 'kmem' (group kmem is uid 2, but
the operator user already uses that user id so
lets use uid 5, which is the operator group,
for kmem).
uid 53 for user bind, uid 53 for group bind
Additionally, I suggest the discussion and addition of
users and groups for other sandboxes:
smtp for mail systems (future sendmail
sandbox).
www for www systems.
others?
Once these changes are in, we would continue the discussion
on how to deal with other root-run programs, including
xterm, xlock, sendmail, screen, and other worrysome
programs.
-Matt
Matthew Dillon Engineering, HiWay Technologies, Inc. & BEST Internet
Communications & God knows what else.
<dillon@backplane.com> (Please include original email in any response)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811170627.WAA24375>