From owner-freebsd-security Sun Oct 20 10:14:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA02232 for security-outgoing; Sun, 20 Oct 1996 10:14:46 -0700 (PDT) Received: from obie.softweyr.com (slc115.modem.xmission.com [204.228.136.115]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA02225 for ; Sun, 20 Oct 1996 10:14:42 -0700 (PDT) Received: (from wes@localhost) by obie.softweyr.com (8.7.5/8.6.12) id LAA04095; Sun, 20 Oct 1996 11:16:12 -0600 (MDT) Date: Sun, 20 Oct 1996 11:16:12 -0600 (MDT) Message-Id: <199610201716.LAA04095@obie.softweyr.com> From: Wes Peters To: Jerry Kelley CC: security@freebsd.org Subject: Any FreeBSD security topics of interest? In-Reply-To: <326902B1.F1A@iquest.net> References: <326902B1.F1A@iquest.net> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Jerry Kelley writes: > Again, my goal is a new topic or improvement to security for UNIX that > could be implemented (and added) to FreeBSD. I'd like to give something > back to the FreeBSD community because I believe strongly in the > principles of the a freely available OS. I'm sure there are others more deeply embedded in the security woes of {Free,Net,Open}BSD who can answer in more detail, but one topic immediately springs to mind: extend the ufs file system to use per-file access control lists. If you're not familiar with ACLs, get your hands on an HP-UX system and try 'man acl'. Their ACL system is workable and relatively UNIX-ish. ACLs have a lot of potential for clearing up some sticky administration problems in UNIX. Many of the setuid programs we worry about could be more carefully restricted with carefully applied ACLs, and many of the tasks that you have to 'su' to do today could be ACL'ed and setuid so that specific groups or individuals could perform them without needing to su. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com