From owner-freebsd-security  Sat Jul 11 21:39:21 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA01665
          for freebsd-security-outgoing; Sat, 11 Jul 1998 21:39:21 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA01633
          for <security@FreeBSD.ORG>; Sat, 11 Jul 1998 21:39:14 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.7/8.8.7) with SMTP id QAA11697;
	Sun, 12 Jul 1998 16:35:48 +1200 (NZST)
	(envelope-from andrew@squiz.co.nz)
X-Authentication-Warning: aniwa.sky: andrew owned process doing -bs
Date: Sun, 12 Jul 1998 16:35:48 +1200 (NZST)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: "Kent S. Gordon" <kgor@ksg.com>
cc: jehamby@manta.jpl.nasa.gov, 026809r@dragon.acadiau.ca,
        security@FreeBSD.ORG
Subject: Re: RootRunner (admin GUI w/o security holes?)
In-Reply-To: <199807120035.TAA10008@soccer.ksg.com>
Message-ID: <Pine.BSF.3.96.980712163039.11489A-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 11 Jul 1998, Kent S. Gordon wrote:

> Date: Sat, 11 Jul 1998 19:35:38 -0500 (CDT)
> From: "Kent S. Gordon" <kgor@ksg.com>
> To: jehamby@manta.jpl.nasa.gov
> Cc: 026809r@dragon.acadiau.ca, security@FreeBSD.ORG
> Subject: Re: RootRunner (admin GUI w/o security holes?)
> 
> >>>>> "jehamby" == Jake Hamby <jehamby@manta.jpl.nasa.gov> writes:
> 
>     > On Fri, 10 Jul 1998, Michael Richards wrote:
>     >> Why not just use ssh to forward your root x connections via an
>     >> encrypted connection. All of your problems go away. You are
>     >> even secure from network sniffers because the entire data
>     >> stream is encrypted.
> 
>     > Well, I definitely want to support ssh to allow secure remote
>     > administration (where it would replace su or sudo in the scheme
>     > I described), but I'm really loath to run any part of the GUI as
>     > uid 0, if it's at all possible to avoid.  While it's probably
>     > not a security hole, per se, my biggest problem is the one I
>     > already mentioned of how to start the program from the "start
>     > menu" of your favorite windowmanager, without having to pop up
>     > an ugly xterm window to ask for the root password.
> 
> You could always create an no password entry in sudo for these cases
> or a special suid binary that invokes the program.  I have used no
> password entry in sudo for this in the past.
> 
>     > -Jake

That gives finer control over access, but otherwise I don't think it's
much different from suid.

I suspect the only way to get a uid = 0 backend and a uid != 0 frontend
is to run them as separate processes with some sort of communication
channel.

Andrew




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message