Date: Wed, 15 Aug 2001 12:57:17 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: David Malone <dwmalone@maths.tcd.ie> Cc: Mikhail Teterin <mi@aldan.algebra.com>, alex@big.endian.de, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <Pine.NEB.3.96L.1010815125441.81642C-100000@fledge.watson.org> In-Reply-To: <20010815123315.A35365@walton.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 15 Aug 2001, David Malone wrote: > On Tue, Aug 14, 2001 at 11:33:17PM -0400, Mikhail Teterin wrote: > > On 14 Aug, Robert Watson wrote: > > > All of these programs do involve risk, syslogd possibly a fair amount > > > less so, and I'd be open to discussing how to disable them but > > > minimize impact from an administrative standpoint. > > > > BTW, how hard is it to make syslogd run as nobody? Perhaps, > > nobody:operator? Does it have to be root? > > It could possibly change to another uid after it had made it's sockets > (port 514 and /var/run/log), connected to /dev/klog and opened all the > log files. It would have to change back again if you HUPed it though. Note that if the same approach is taken as with ftpd, the ability to exploit a bug resulting in arbitrary code execution can gain the privilege. FTPd sets the effective euid to that of the user, but maintains a saved uid so it can switch back to root to bind privileged ports. An approach that might be taken is to have a pair of processes -- one with privilege, and one without. The one with privilege would communicate via IPC with the low privilege process, and grant specific requests via file descriptor passing (such as the binding of sockets, opening of devices, etc), limiting the scope of a vulnerability in the exposed code. This does add substantial complexity, and has to be carefully analyzed so as to determine that it won't leak privileges. We have an on-going project as part of our DARPA grant to look at generate techniques for partitioning applications this way. You can e-mail Lee Badger <badger@tislabs.com> if you're interested -- he's a co-PI on the project, and is focusing on the application impact of privilege. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010815125441.81642C-100000>