From owner-freebsd-security  Mon Nov 18 11:21:52 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id LAA06037
          for security-outgoing; Mon, 18 Nov 1996 11:21:52 -0800 (PST)
Received: from homeport.org (lighthouse.homeport.org [205.136.65.198])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA06016
          for <freebsd-security@FreeBSD.org>; Mon, 18 Nov 1996 11:21:47 -0800 (PST)
Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id OAA14295; Mon, 18 Nov 1996 14:16:10 -0500
From: Adam Shostack <adam@homeport.org>
Message-Id: <199611181916.OAA14295@homeport.org>
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
In-Reply-To: <199611181845.KAA15940@salsa.gv.ssi1.com> from Don Lewis at "Nov 18, 96 10:45:39 am"
To: Don.Lewis@tsc.tdk.com (Don Lewis)
Date: Mon, 18 Nov 1996 14:16:10 -0500 (EST)
Cc: phk@critter.tfs.com, freebsd-security@FreeBSD.org
X-Mailer: ELM [version 2.4ME+ PL27 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

Don Lewis wrote:
| On Nov 18,  8:30am, Poul-Henning Kamp wrote:
| } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
| 
| } What we REALLY need, is a way for root, to hand out certain priviledges.
| } 
| } Imagine this:
| } 
| } 	sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp`
| } 	sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp`
| } 	sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp`
| } 	sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp`
| } 
| } This means that users with UID smtp can bind to socket 25 (aka smtp),
| } and so on.  Now sendmail NEVER needs to be root.
| 
| I was thinking more along the lines of chroot(), but for port numbers.
| Root could mark a process and it's decendents as having access to port 25,
| and other processes and their decendents as never having access to port 25,
| even if they are root.  I'd have two independent sets of limits, one for
| run-of-the-mill processes and one for "privileged" processes.  Of course,
| the average processes wouldn't be able to access anything the "privileged"
| ones couldn't.

	If network access went through the file system, then 
chown smtp /dev/tcp/smtp would give us a known access control
mechanism, rather than trying to extend the process table.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume