From owner-freebsd-security  Fri Mar 12  8: 2:33 1999
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229])
	by hub.freebsd.org (Postfix) with ESMTP id A91CB15582
	for <freebsd-security@FreeBSD.ORG>; Fri, 12 Mar 1999 08:02:28 -0800 (PST)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA11071;
	Fri, 12 Mar 1999 11:01:42 -0500 (EST)
	(envelope-from robert@cyrus.watson.org)
Date: Fri, 12 Mar 1999 11:01:42 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: "Ilmar S. Habibulin" <ilmar@ints.ru>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: disapointing security architecture
In-Reply-To: <Pine.BSF.4.05.9903121828280.38427-100000@ws-ilmar.ints.ru>
Message-ID: <Pine.BSF.3.96.990312105400.10999A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 12 Mar 1999, Ilmar S. Habibulin wrote:

> On Thu, 11 Mar 1999, Robert Watson wrote:
> 
> > it.  I may get a chance to look at it again more seriously in the near
> > future.  It also raises the issue as to whether it wouldn't be better to
> > reengineer the setuid programs so they aren't setuid :-).
> You mean capabilities and ACLs?

ACLs, but not capabilities.  I'm not sure I like the idea of mixed
privileges in a single process-there are too many ways that parent
processes influence child processes, or can subvert their behavior by
taking advantage of mixed priveleges.  Reworking things to make use of
ACLs seems reasonable; using servers that communicate via IPC seems
reasonable, but somehow the mixed priveleges always screw everyone. :)
LPC/RPC are subject to the normal set of buffer overflows, of course, but
you don't get the weird stuff like signals getting sent to children
process resulting in different behavior (ping).  Perhaps this is more a
problem with the process model and its quite-close-ties to the uid
authorization model.

I'll gladly implement Capabilities, but I'll not necessarily commit to
their actually being useful :-).

  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
Safeport Network Services             http://www.safeport.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message