Date: Mon, 16 Nov 1998 15:13:54 -0600 From: William McVey <wam@sa.fedex.com> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Warner Losh <imp@village.org>, Andre Albsmeier <andre.albsmeier@mchp.siemens.de>, freebsd-security@FreeBSD.ORG, jkh@zippy.cdrom.com (Jordan K. Hubbard), dima@best.net (Dima Ruban) Subject: Re: Would this make FreeBSD more secure? & sendmail changes in OpenBSD 2.4 Message-ID: <199811162114.PAA06569@s07.sa.fedex.com>
next in thread | raw e-mail | index | archive | help
In a thread titled "Would this make FreeBSD more secure?" Matthew Dillon wrote: > Ok, here is a proposal: > (1)Add a 'kmem' and 'tty' dummy user to /usr/src/etc/master.passwd. > Unfortunately, the operator uid is already using 2 (why it didn't > use 5 I'll never know), so give the kmem user uid 5 and the tty > user uid 4 (same as their groups except for the operator<>kmem > flip). If we are adding standard ids to the password file, what do you think of adding the following loginids and groupids for services that can run standalone as unprivilged users (these are ones I've set up on my set of machines, it'd be nice to "standardize" them): smtp (uid and gid of 25) www (uid and gid of 80) ftp (uid and gid of 21) tftp (uid and gid of 69) syslog (uid and gid of 514) (another root daemon which probably doesn't need root, I just made the changes on one of my machines... I'll let the list know how it works out.) I've never like lumping different types services under "daemon" or "nobody". > (2)Change identd and ntalkd entries in inetd.conf to run ntalkd tty:tty > and identd kmem:kmem. > > (3)Add an lp user and an lp group (what uid/gid ?). I'd chose uid/gid 515, of course, you probably could have predicted that. Not coincidentally, I start numbering users as 1025. :-) > (5) > > Use RCAPF_SETTIME to fix xntpd > > Use TCAPF_LOWPORT to fix xntpd, lpd, bind, sendmail, and possibly > others. I'm not convinced that sendmail and lpd require TCAPF_LOWPORT. I think inetd and the 'wait' attribute can do what they need, but I'm all for adding the solution as defined above. It probably would be usefull for bind (which as a single process needs to bind to udp/53 as well as tcp/53). >sendmail might still have to be run by root by default for > program pipes, but that's a different problem that I presume > Eric Allman will work on at some point (such functionality should > really be moved into mail.local, IMHO, I'll email Eric and see > what he has to say about it). [ this is also directed to a running thread titled "sendmail changes in OpenBSD 2.4" ] I'm a fan of running a setuid root mail.local, executable by only only group 'smtp'. Sendmail invoked as a wait service out of inetd as user/group of 'smtp'. This avoids the potential misuse of the delivery program by regular users (which are not in group 'smtp'), allows sendmail to run unprivileged, and requires no code changes to operate. To strip the setuid root bit from the delivery agent will require the daemon to be privileged so that it can setuid to the user who's mail is being handled. I would say a setuid root program that no-one but the MTA can execute is the lesser of two evils. -- William To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811162114.PAA06569>