From owner-cvs-all Thu Aug 16 0: 9:50 2001 Delivered-To: cvs-all@freebsd.org Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.121.50]) by hub.freebsd.org (Postfix) with ESMTP id 82B3F37B403; Thu, 16 Aug 2001 00:09:41 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.138.252.Dial1.SanJose1.Level3.net [209.247.138.252]) by avocet.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id AAA14189; Thu, 16 Aug 2001 00:09:37 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7G78N102983; Thu, 16 Aug 2001 00:08:23 -0700 (PDT) (envelope-from cjc) Date: Thu, 16 Aug 2001 00:08:23 -0700 From: "Crist J. Clark" To: Robert Watson Cc: David Malone , Mikhail Teterin , alex@big.endian.de, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010816000823.H330@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010815123315.A35365@walton.maths.tcd.ie> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@FreeBSD.org on Wed, Aug 15, 2001 at 12:57:17PM -0400 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Aug 15, 2001 at 12:57:17PM -0400, Robert Watson wrote: > > On Wed, 15 Aug 2001, David Malone wrote: > > > On Tue, Aug 14, 2001 at 11:33:17PM -0400, Mikhail Teterin wrote: > > > On 14 Aug, Robert Watson wrote: > > > > All of these programs do involve risk, syslogd possibly a fair amount > > > > less so, and I'd be open to discussing how to disable them but > > > > minimize impact from an administrative standpoint. > > > > > > BTW, how hard is it to make syslogd run as nobody? Perhaps, > > > nobody:operator? Does it have to be root? > > > > It could possibly change to another uid after it had made it's sockets > > (port 514 and /var/run/log), connected to /dev/klog and opened all the > > log files. It would have to change back again if you HUPed it though. > > Note that if the same approach is taken as with ftpd, the ability to > exploit a bug resulting in arbitrary code execution can gain the > privilege. FTPd sets the effective euid to that of the user, but > maintains a saved uid so it can switch back to root to bind privileged > ports. An approach that might be taken is to have a pair of processes > -- one with privilege, and one without. The one with privilege would > communicate via IPC with the low privilege process, and grant specific > requests via file descriptor passing (such as the binding of sockets, > opening of devices, etc), limiting the scope of a vulnerability in the > exposed code. This does add substantial complexity, and has to be > carefully analyzed so as to determine that it won't leak privileges. We > have an on-going project as part of our DARPA grant to look at generate > techniques for partitioning applications this way. You can e-mail > Lee Badger if you're interested -- he's a co-PI on > the project, and is focusing on the application impact of privilege. When are we just going to give up the now rather silly concept of "privileged ports?" Security on a UNIX platform gets _better_ when non-root processes can open ports <1024. Since no one (except for a limited few people on highly controlled, isolated networks) should ever trust remote machine, using a port <1024 is meaningless to the remote machine. It's also only an UNIX anachronism, and therefore meaningless in a heterogeneous environment. It would be so-o nice to have a sysctl(8) to turn off privileged ports and not have to worry about all of these problems with named(8), syslogd(8), ftpd(8), etc. If I do the work, is anyone going to fight committing it? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message