From owner-freebsd-hackers@FreeBSD.ORG Thu Jan 12 09:44:53 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 78A84106564A; Thu, 12 Jan 2012 09:44:53 +0000 (UTC) (envelope-from rwatson@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 4D2DA8FC14; Thu, 12 Jan 2012 09:44:53 +0000 (UTC) Received: from [192.168.2.105] (host86-161-238-124.range86-161.btcentralplus.com [86.161.238.124]) by cyrus.watson.org (Postfix) with ESMTPSA id 30DA746B92; Thu, 12 Jan 2012 04:44:52 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 From: "Robert N. M. Watson" In-Reply-To: Date: Thu, 12 Jan 2012 09:44:45 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <1440BE37-28E4-4D4F-B8A0-54FD0BB76AA4@freebsd.org> References: To: Adrian Chadd X-Mailer: Apple Mail (2.1251.1) Cc: freebsd-hackers@freebsd.org, Gerald McNulty Subject: Re: Assigning the PRIV_NETINET_BINDANY privilege required for setsockopt(IP_BINDANY) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 09:44:53 -0000 On 12 Jan 2012, at 06:03, Adrian Chadd wrote: > On 11 January 2012 15:26, Gerald McNulty wrote: >> Using IP_BINDANY to facilitate transparent proxying works as = specified. >> According the ip(4) man page and sys/netinet/ip_output.c, the >> PRIV_NETINET_BINDANY privilege is required in order to make a = setsockopt() >> call with IP_BINDANY. >>=20 >> I would like to use this in an app that does not run as uid 0. Is it >> possible to assign the PRIV_NETINET_BINDANY privilege to a specific = uid or >> process or can this mechanism only be used in jails to reduce root >> privileges further? >=20 > I'm not sure if the relevant bits of MAC have been committed. Robert? Hi Adrian, Gerald: Currently there isn't a general-purpose privilege management policy in = FreeBSD. The MAC Framework supports specialised policies that modify OS = notions of privilege -- for example, the Biba policy does this, but it's = not what you're looking for. We have vague intent to do two things: (1) Add a role-based privilege model, allowing privileges to be assigned = to users as already possible in some other systems (such as Solaris) (2) Allow masks of privileges available to root (etc) in jails to be = explicitly managed, rather than relying on the hard-coded privilege list = currently in the Jail implementation The groundwork was laid for this in FreeBSD 7.0 with the itemisation of = available privileges, but a significant amount of further work remains = to be done. Despite the best intentions, it happened neither for 8.0 nor = 9.0. Some downstream consumers of FreeBSD use specialised MAC policies = to delegate rights to non-root users, but I'm not aware of a policy = implementation currently appropriate for upstreaming to us. I'd very much like to see this happen for 10.0, perhaps even with a = merge to 9.x, but currently there isn't an owner for this project. It = involves quite a bit of subtlety and care -- getting it wrong has the = potential to make a system more, rather than less, vulnerable. Robert=