From owner-cvs-all  Wed Aug 15  9:57:51 2001
Delivered-To: cvs-all@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 976B437B40B; Wed, 15 Aug 2001 09:57:42 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7FGvHf85040;
	Wed, 15 Aug 2001 12:57:18 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Wed, 15 Aug 2001 12:57:17 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: David Malone <dwmalone@maths.tcd.ie>
Cc: Mikhail Teterin <mi@aldan.algebra.com>, alex@big.endian.de,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/etc inetd.conf
In-Reply-To: <20010815123315.A35365@walton.maths.tcd.ie>
Message-ID: <Pine.NEB.3.96L.1010815125441.81642C-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On Wed, 15 Aug 2001, David Malone wrote:

> On Tue, Aug 14, 2001 at 11:33:17PM -0400, Mikhail Teterin wrote:
> > On 14 Aug, Robert Watson wrote:
> > > All of these programs do involve  risk, syslogd possibly a fair amount
> > > less  so, and  I'd  be open  to  discussing how  to  disable them  but
> > > minimize impact from an administrative standpoint.
> > 
> > BTW,  how  hard   is  it  to  make  syslogd  run   as  nobody?  Perhaps,
> > nobody:operator? Does it have to be root?
> 
> It could possibly change to another uid after it had made it's sockets
> (port 514 and /var/run/log), connected to /dev/klog and opened all the
> log files. It would have to change back again if you HUPed it though. 

Note that if the same approach is taken as with ftpd, the ability to
exploit a bug resulting in arbitrary code execution can gain the
privilege.  FTPd sets the effective euid to that of the user, but
maintains a saved uid so it can switch back to root to bind privileged
ports.  An approach that might be taken is to have a pair of processes
-- one with privilege, and one without.  The one with privilege would
communicate via IPC with the low privilege process, and grant specific
requests via file descriptor passing (such as the binding of sockets,
opening of devices, etc), limiting the scope of a vulnerability in the
exposed code.  This does add substantial complexity, and has to be
carefully analyzed so as to determine that it won't leak privileges.  We
have an on-going project as part of our DARPA grant to look at generate
techniques for partitioning applications this way.  You can e-mail
Lee Badger <badger@tislabs.com> if you're interested -- he's a co-PI on
the project, and is focusing on the application impact of privilege.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message