From owner-freebsd-security@FreeBSD.ORG Sun Apr 1 08:49:38 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA2451065670 for ; Sun, 1 Apr 2012 08:49:38 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 9B5108FC0C for ; Sun, 1 Apr 2012 08:49:38 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 8E34765CC; Sun, 1 Apr 2012 08:49:31 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 70273829A; Sun, 1 Apr 2012 10:49:31 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: schultz@ime.usp.br References: <20120331140820.101653608997tekk@webmail.ime.usp.br> Date: Sun, 01 Apr 2012 10:49:31 +0200 In-Reply-To: <20120331140820.101653608997tekk@webmail.ime.usp.br> (schultz@ime.usp.br's message of "Sat, 31 Mar 2012 14:08:20 -0300") Message-ID: <86fwcnygys.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security in Multiuser Environments X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Apr 2012 08:49:38 -0000 schultz@ime.usp.br writes: > * Encrypted the whole (except /boot) system with geli(8) > (HMAC/SHA256 and AES-XTS). It is not as nice and much slower > than proper filesystem-level checksumming but it is what > FreeBSD provides (ZFS is too unstable). ZFS is stable enough, but I'm a little confused: encryption is not "checksumming", and ZFS provides checksums but not encryption. > * Disabled useless and potentially dangerous services: cron, devd > and sendmail. These services are neither useless nor dangerous. > * Removed every setuid bit. The system works even then. except users are no longer able to change their password or shell. > * Added a group sudoers and made sudo setuid only to users in > sudoers: would have avoided trouble with recent sudo exploit if > only trusted users have slaves. I'm not sure what "made sudo setuid only to users in sudoers" means. Perhaps you mean "executable only by users in sudoers"? Also... all this and you didn't raise the securelevel? Didn't set system binaries schg? Didn't remove unwanted binaries like rcp(1), rlogin(1), at(1) etc? > As for using sudo to grant privilege, for each master-slave > relationship between users u and v, I have added a line like > "u ALL =3D (v) NOPASSWD: ALL" to /etc/sudoers. Then the user u is > supposed to become v by issuing "sudo -i -u v" and to execute a > command as v by issuing "sudo -i -u v ...". I'm surprised there isn't a sudoers option to force -i; I'm sure Todd Miller would be happy for a patch :) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no