From owner-freebsd-security Tue Jun 22 12:21:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id B19B814C9A for ; Tue, 22 Jun 1999 12:20:58 -0700 (PDT) (envelope-from netch@lucky.net) Received: (from netch@localhost) by burka.carrier.kiev.ua (8.Who.Cares/Guinness_Is_Better) id WAA21571 for freebsd-security@freebsd.org; Tue, 22 Jun 1999 22:20:55 +0300 (EEST) (envelope-from netch) Date: Tue, 22 Jun 1999 22:20:55 +0300 From: Valentin Nechayev To: freebsd-security@freebsd.org Subject: Re: proposed secure-level 4 patch Message-ID: <19990622222055.J2436@lucky.net> References: <376D27ED.0180@funbox.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.1i In-Reply-To: <376D27ED.0180@funbox.demon.co.uk> <199906210518.PAA15232@cheops.anu.edu.au> <19990621142104.X63035@bitbox.follo.net> Organization: Lucky Netch Incorporated Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At Mon, 21 Jun 1999 14:21:04 +0200, eivind@freebsd.org wrote: >> How about a bit vector defining which ports can and can't be bound from >> non-root below 1024 ? >> >> a 256 byte array doesn't sound too bad does it ? EE> Why haven't I seen the magic words of 'Merge from OpenBSD' in a commit EE> related to this yet? ;-) ;) Because it is not enough... full realization must give possibility to change the plain old ;) fixed rule "0..1023 for root, other for all; no 'automatic' binding to 0..1023" to any possible variant, for example: -> Deny all except uid 65530 to bind ports 3128-3130 on bind() with specified port number. Deny all (uid 65530 also) to bind these ports implicitly (means: without explicit bind, as first free port number). One can ask "why"? Because squid can die, and I don't want situation when a bad user catches one of these ports and prevents squid from restarting. -> Allow port 25 to be bound by uid 25 (postfix or sendmail, as you wish). -> Deny implicit binding to ports 6000-6099 for any (but allow explicit binding, for any user which wants simulate Xserver). -> Deny all explicit and implicit binding for all to 31337 port, to avoid fake BO detections. And so on... I have made such implementation, but with ipfw-styled interface. If someone can describe nesessary "capabilities" interface, it shall be remade & published. -- -- Valentin Nechayev netch@lucky.net II:LDXIII/MCMLXXII.CCC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message