From owner-cvs-all Wed Aug 15 9:57:51 2001 Delivered-To: cvs-all@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 976B437B40B; Wed, 15 Aug 2001 09:57:42 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7FGvHf85040; Wed, 15 Aug 2001 12:57:18 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 15 Aug 2001 12:57:17 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: David Malone Cc: Mikhail Teterin , alex@big.endian.de, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <20010815123315.A35365@walton.maths.tcd.ie> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 15 Aug 2001, David Malone wrote: > On Tue, Aug 14, 2001 at 11:33:17PM -0400, Mikhail Teterin wrote: > > On 14 Aug, Robert Watson wrote: > > > All of these programs do involve risk, syslogd possibly a fair amount > > > less so, and I'd be open to discussing how to disable them but > > > minimize impact from an administrative standpoint. > > > > BTW, how hard is it to make syslogd run as nobody? Perhaps, > > nobody:operator? Does it have to be root? > > It could possibly change to another uid after it had made it's sockets > (port 514 and /var/run/log), connected to /dev/klog and opened all the > log files. It would have to change back again if you HUPed it though. Note that if the same approach is taken as with ftpd, the ability to exploit a bug resulting in arbitrary code execution can gain the privilege. FTPd sets the effective euid to that of the user, but maintains a saved uid so it can switch back to root to bind privileged ports. An approach that might be taken is to have a pair of processes -- one with privilege, and one without. The one with privilege would communicate via IPC with the low privilege process, and grant specific requests via file descriptor passing (such as the binding of sockets, opening of devices, etc), limiting the scope of a vulnerability in the exposed code. This does add substantial complexity, and has to be carefully analyzed so as to determine that it won't leak privileges. We have an on-going project as part of our DARPA grant to look at generate techniques for partitioning applications this way. You can e-mail Lee Badger if you're interested -- he's a co-PI on the project, and is focusing on the application impact of privilege. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message