Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 01 Apr 2012 10:49:31 +0200
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To:        schultz@ime.usp.br
Cc:        freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security in Multiuser Environments
Message-ID:  <86fwcnygys.fsf@ds4.des.no>
In-Reply-To: <20120331140820.101653608997tekk@webmail.ime.usp.br> (schultz@ime.usp.br's message of "Sat, 31 Mar 2012 14:08:20 -0300")
References:  <20120331140820.101653608997tekk@webmail.ime.usp.br>

next in thread | previous in thread | raw e-mail | index | archive | help
schultz@ime.usp.br writes:
>   * Encrypted the whole (except /boot) system with geli(8)
>     (HMAC/SHA256 and AES-XTS). It is not as nice and much slower
>     than proper filesystem-level checksumming but it is what
>     FreeBSD provides (ZFS is too unstable).

ZFS is stable enough, but I'm a little confused: encryption is not
"checksumming", and ZFS provides checksums but not encryption.

>   * Disabled useless and potentially dangerous services: cron, devd
>     and sendmail.

These services are neither useless nor dangerous.

>   * Removed every setuid bit. The system works even then.

except users are no longer able to change their password or shell.

>   * Added a group sudoers and made sudo setuid only to users in
>     sudoers: would have avoided trouble with recent sudo exploit if
>     only trusted users have slaves.

I'm not sure what "made sudo setuid only to users in sudoers" means.
Perhaps you mean "executable only by users in sudoers"?

Also...  all this and you didn't raise the securelevel?  Didn't set
system binaries schg?  Didn't remove unwanted binaries like rcp(1),
rlogin(1), at(1) etc?

> As for using sudo to grant privilege, for each master-slave
> relationship between users u and v, I have added a line like
> "u ALL =3D (v) NOPASSWD: ALL" to /etc/sudoers. Then the user u is
> supposed to become v by issuing "sudo -i -u v" and to execute a
> command as v by issuing "sudo -i -u v ...".

I'm surprised there isn't a sudoers option to force -i; I'm sure Todd
Miller would be happy for a patch :)

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86fwcnygys.fsf>