Date: Mon, 30 Nov 1998 21:51:45 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: kmem, tty, bind security enhancements commit. Message-ID: <199812010551.VAA02953@apollo.backplane.com>
next in thread | raw e-mail | index | archive | help
Now that everyone is backfrom thanksgiving and 2.2.8 is out the
door, I'd like to commit the following changes to -current. These
are as previously discussed and the changes have also been running
on most of BEST's machines for a couple of weeks now so I'd like
to commit them.
I'd like someone to sign off on the concept. Eivind? Bruce? Jordan?
(1)
Add a 'kmem' and 'tty' dummy user to master.passwd.
adjust inetd.conf to run identd and ntalkd using the new dummy
user's to sandbox the kmem and tty group rights required.
This also involves removing the getuid() test in talkd.c
(2)
Add a 'bind' user and a 'bind' group to master.passwd
Use bind-8's -u and -g features to run named as bind:bind
in the default rc.conf:
named_flags="-u bind -g bind"
(Or find a way to figure out whether this uid/gid exists
and use the options or not use the options based on that,
which is more compatible with prior installations but adds
complexity that will quickly become stale. I suggest simply
making it the default in the CVS tree).
Cavet: in a multi-interface situation, with an interface
that is brought up later, and so forth, named will not
be able to automatically rebind and must be restarted.
(Also ensure that named.conf is either group-bind-readable or
world readable).
However, I consider this a major, major improvement in
security. I think it's worth the hassle and the vast majority
of installations are not complex enough for it to matter.
Those that are typically run a custom bind configuration anyway.
USER and GROUP ID's
I suggest:
uid 4 for user 'tty'
uid 5 for user 'kmem' (group kmem is uid 2, but
the operator user already uses that user id so
lets use uid 5, which is the operator group,
for kmem).
uid 53 for user bind, uid 53 for group bind
Matthew Dillon Engineering, HiWay Technologies, Inc. & BEST Internet
Communications & God knows what else.
<dillon@backplane.com> (Please include original email in any response)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812010551.VAA02953>