Date: Fri, 18 Jul 1997 19:23:50 -0400 (EDT) From: David Holland <dholland@eecs.harvard.edu> To: tqbf@enteract.com Cc: grr@shandakor.tharsis.com, adam@homeport.org, robert@cyrus.watson.org, freebsd-security@FreeBSD.ORG, tech@openbsd.org Subject: Re: Security Model/Target for FreeBSD or 4.4? Message-ID: <199707182323.TAA05583@burgundy.eecs.harvard.edu> In-Reply-To: <199707160242.VAA01426@enteract.com> from "Thomas H. Ptacek" at Jul 15, 97 09:42:23 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > I don't want to sound like a grinch, but this seems like a poor direction
> > to be headed in. The kernel is blessedly free of "special values" for
> > UID's and GID's. Like one really special UID=0 (*) and done with it.
>
> The problem is that the "one really special value" breaks least-privilege
> in a severe way, causing programs like "rlogin" and "ping" to mysteriously
> require complete access to the system, even though their functionality is
> minimal.
This is true. However, attempts at least privilege need to be thought
out very carefully - it's very easy to end up with huge additional
complexity with no increment in security.
For instance, the privilege to let ping bind a raw socket can, in the
presence of NFS, easily be converted to access to just about any
account on the system including possibly root. In the presence of NIS
it becomes immediately equivalent to full root access... you get the
idea.
So if you make ping setgid to some_group_with_raw_socket_privs, you
add a lot of complexity, and a lot of obscurity to make the sysadmin's
life harder, and you might gain nothing back in security.
I'm not saying that it's not worth trying, just that one shouldn't
plow ahead without thinking.
--
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707182323.TAA05583>