From owner-freebsd-security  Fri Jul 18 16:25:46 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id QAA23402
          for security-outgoing; Fri, 18 Jul 1997 16:25:46 -0700 (PDT)
Received: from burgundy.eecs.harvard.edu (dholland@burgundy.eecs.harvard.edu [140.247.60.165])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA23397
          for <freebsd-security@FreeBSD.ORG>; Fri, 18 Jul 1997 16:25:44 -0700 (PDT)
Received: (from dholland@localhost)
	by burgundy.eecs.harvard.edu (8.8.5/8.8.5) id TAA05583;
	Fri, 18 Jul 1997 19:23:50 -0400 (EDT)
From: David Holland <dholland@eecs.harvard.edu>
Message-Id: <199707182323.TAA05583@burgundy.eecs.harvard.edu>
Subject: Re: Security Model/Target for FreeBSD or 4.4?
To: tqbf@enteract.com
Date: Fri, 18 Jul 1997 19:23:50 -0400 (EDT)
Cc: grr@shandakor.tharsis.com, adam@homeport.org, robert@cyrus.watson.org,
        freebsd-security@FreeBSD.ORG, tech@openbsd.org
In-Reply-To: <199707160242.VAA01426@enteract.com> from "Thomas H. Ptacek" at Jul 15, 97 09:42:23 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

 > > I don't want to sound like a grinch, but this seems like a poor direction
 > > to be headed in.  The kernel is blessedly free of "special values" for
 > > UID's and GID's.  Like one really special UID=0 (*) and done with it. 
 > 
 > The problem is that the "one really special value" breaks least-privilege
 > in a severe way, causing programs like "rlogin" and "ping" to mysteriously
 > require complete access to the system, even though their functionality is
 > minimal.

This is true. However, attempts at least privilege need to be thought
out very carefully - it's very easy to end up with huge additional
complexity with no increment in security.

For instance, the privilege to let ping bind a raw socket can, in the
presence of NFS, easily be converted to access to just about any
account on the system including possibly root. In the presence of NIS
it becomes immediately equivalent to full root access... you get the
idea. 

So if you make ping setgid to some_group_with_raw_socket_privs, you
add a lot of complexity, and a lot of obscurity to make the sysadmin's
life harder, and you might gain nothing back in security.

I'm not saying that it's not worth trying, just that one shouldn't
plow ahead without thinking.

-- 
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino