From owner-freebsd-security Sun Oct 1 7:51:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id BCA4137B502 for ; Sun, 1 Oct 2000 07:51:54 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id KAA53996; Sun, 1 Oct 2000 10:51:27 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 1 Oct 2000 10:51:27 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Mark Murray Cc: Warner Losh , Jordan Hubbard , security@FreeBSD.ORG Subject: Re: Security and FreeBSD, my overall perspective In-Reply-To: <200010010932.e919WRl00389@grimreaper.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 1 Oct 2000, Mark Murray wrote: > > Exposure: > > > > Whether or not the application should, in normal use, be exposed to data > > of untrusted origin (e-mail, data files from untrusted users, socket > > connections in or out-bound, etc). > > > > - Intended to be run with exposure to untrusted environments > > - Not intended to run with exposure to untrusted environments > > This is policy - we should not mess with that, I don't think. _Everything_ > in Unix sees an untrusted environment is the assumption. While I agree that is true, I think that we regularly make distinctions, for the purposes of advisories, between buffer overflows in command line tool arguments of binaries that do not elevate privielges, and those that do. Similarly, we consider overflows in command line arguments of tools running with privilege and overflows in input/output of tools running with privilege. So there is something in this distinction that is worth considering. Certainly, it is the case that all of them should be fixed, but it's not clear that all are worth an advisory, and that our risk/trust factor shouldn't reflect that distinction. > > Privilege: > > > > What amount of privilege and access this code will be run as, determining > > the level of damage possible as a result of an exploit. > > > > - Run with elevated privilege > > - Run by normal users > > - Run sandboxed The reason I made this distinction was to try and quantify the cost of a software failure: if Apache is compromised running as nobody, that's substantially better than inetd compromised running as root. Not ideal, mind you, but in the grant scale of things, an improvement (hence why it runs as nobody :-). I think this is a quantafiably different measure than the amount of risk associated with the program due to the type and quality of data it processes. There probably needs to be another couple of items here quantifying network compromise (i.e., firewall proxy failure, etc). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message