Date: Mon, 16 Nov 1998 11:01:23 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Warner Losh <imp@village.org> Cc: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>, freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Message-ID: <199811161901.LAA21634@apollo.backplane.com> References: <199811161055.CAA18393@apollo.backplane.com> <19981116072937.E969@internal> <19981115192224.A29686@internal> <19981115161548.A23869@internal> <199811151758.JAA15108@apollo.backplane.com> <19981115192224.A29686@internal> <199811152210.PAA01604@harmony.village.org> <199811160658.XAA01912@harmony.village.org> <199811161835.LAA04984@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:In message <199811161055.CAA18393@apollo.backplane.com> Matthew Dillon writes:
:: There are only a limited number of programs that run as root or are
:: suid root. Being able to plug even half a dozen of them by removing
:: their root privilages would be a major win.
:
:Yes. However, this would close only one or two. Those being those
:programs that do authorization based on user name, but do NOT change
:the uid of the user.
I think we can trivially close at least 4 or 5 root-run programs simply
by changing defaults and getting rid of an option or two, and we can
close another 4 or 5 by adding a capability resource of some sort to
the process model. Even a simple bitmask would work.
:: I can find no good reason why, for example, ntalkd must be run as root.
:: It does a stupid getuid() test in main() that should be ripped out...
:: it really only needs tty group access to work.
:
:I'd agree with that.
:
:: identd sure doesn't need root. kmem group access is plenty sufficient.
:
:That is correct as well.
:
:: Both of these are turned on by default in inetd.conf, neither of these
:: requires root. All it would take to fix them would be to add two dummy
:: users to master.passwd 'tty' and 'kmem' (with bin group privs), to fix
:: talkd.c to remove the silly getuid() test, and to fix inetd.conf (run
:: ntalkd as tty:tty and identd as kmem:kmem).
:
:yikes!!! I think that might be worth considering.
:: I wonder how many other programs can be trivially fixed like that.
:: Certainly sendmail does not need to be run as root, yet it is in
:: /usr/src/etc/rc. lpd ? Why in gods name does lpd need to be run
:: as root?
:
:sendmail needs to run as root to deliver mail and to bind to port 25.
:There may be some ways around this, but to date I've seen none that
:don't open huge holes elsewhere. lpd needs to run as root to access
:the files that it is printing, and to bind to its listening port. I'm
:not sure a good way around that...
:
:Warner
We've already discussed the obvious solution: Have a low-port listen
capability. Verses giving a program root, that is relatively innocuous.
Frankly, the security of low-port numbers was lost the moment people
began running desktop UNIX boxes at home. All that really matters now
is that if you are running a multi-user machine, you would rather not
give your users low port numbers to play with... but if they broke into
that capability, it still wouldn't be the end of the world.
As far as lpd -s goes, just disable the option for the default 'secure'
configuration for lpd (i.e. when lpd is not run as root, which should
be the *default*). Very few people actually use the option anyway,
at least nowadays (judging from my own migration away from having to
use the option years ago).
-Matt
Matthew Dillon Engineering, HiWay Technologies, Inc. & BEST Internet
Communications & God knows what else.
<dillon@backplane.com> (Please include original email in any response)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811161901.LAA21634>