Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Mar 1999 11:01:42 -0500 (EST)
From:      Robert Watson <robert@cyrus.watson.org>
To:        "Ilmar S. Habibulin" <ilmar@ints.ru>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: disapointing security architecture
Message-ID:  <Pine.BSF.3.96.990312105400.10999A-100000@fledge.watson.org>
In-Reply-To: <Pine.BSF.4.05.9903121828280.38427-100000@ws-ilmar.ints.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 12 Mar 1999, Ilmar S. Habibulin wrote:

> On Thu, 11 Mar 1999, Robert Watson wrote:
> 
> > it.  I may get a chance to look at it again more seriously in the near
> > future.  It also raises the issue as to whether it wouldn't be better to
> > reengineer the setuid programs so they aren't setuid :-).
> You mean capabilities and ACLs?

ACLs, but not capabilities.  I'm not sure I like the idea of mixed
privileges in a single process-there are too many ways that parent
processes influence child processes, or can subvert their behavior by
taking advantage of mixed priveleges.  Reworking things to make use of
ACLs seems reasonable; using servers that communicate via IPC seems
reasonable, but somehow the mixed priveleges always screw everyone. :)
LPC/RPC are subject to the normal set of buffer overflows, of course, but
you don't get the weird stuff like signals getting sent to children
process resulting in different behavior (ping).  Perhaps this is more a
problem with the process model and its quite-close-ties to the uid
authorization model.

I'll gladly implement Capabilities, but I'll not necessarily commit to
their actually being useful :-).

  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
Safeport Network Services             http://www.safeport.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990312105400.10999A-100000>