From owner-freebsd-security Sun Oct 1 7: 2: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 32AB237B66D for ; Sun, 1 Oct 2000 07:01:59 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id KAA53547; Sun, 1 Oct 2000 10:01:52 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 1 Oct 2000 10:01:51 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Garrett Wollman Cc: cjclark@alum.mit.edu, security@FreeBSD.ORG Subject: Re: Multiple userids, one user In-Reply-To: <200010010526.BAA12242@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 1 Oct 2000, Garrett Wollman wrote: > < said: > > > Why not just run each program under a different user? > > To some extent I do this. When I am forced to use a Web browser > configured insecurely (which for some inexplicable reason always seems > to involve managing my finances), I switch to another VT, log in as my > alter ego, and do what I need to do. Of course, not even my alter ego > gives a valid e-mail address to the Web browser.... One of the problems with this technique is X Windows -- while FreeBSD will provide effective partitioning of users for the purposes of integrity (confidentiality is another question given our default permissions :-), providing the application with unfettered access to your X display does a lot to undo those benefits. At one point, I was using Xnest as a target display for SSH sessions to untrusted workstations. While it was not designed for that (and probably needs auditing), it's a step forwards. Assigning an Xnest per virtual uid would reflect the kernel-visible partitioning scheme. There are been a number of attempts at CMW (Compartmental Mode Workstations) X environments that prevent control/information leakage between labeled processes, but those have some practicality limits (aside from not being available freely :-). I was also told at one point that the new Broadway X Windows would have facilities for isolating and limiting the scope of particular applications, with things like web browsing, untrusted clients, etc, in mind. Not sure if anything came of that. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message