Date: Tue, 17 Nov 1998 14:14:22 -0600 From: William McVey <wam@sa.fedex.com> To: Cliff Skolnick <cliff@steam.com> Cc: Andrew McNaughton <andrew@squiz.co.nz>, Matthew Dillon <dillon@apollo.backplane.com>, Warner Losh <imp@village.org>, Andre Albsmeier <andre.albsmeier@mchp.siemens.de>, freebsd-security@FreeBSD.ORG, "Jordan K. Hubbard" <jkh@zippy.cdrom.com>, Dima Ruban <dima@best.net> Subject: Re: Would this make FreeBSD more secure? & sendmail changes in OpenBSD 2.4 Message-ID: <199811172014.OAA05291@s07.sa.fedex.com>
next in thread | raw e-mail | index | archive | help
Cliff Skolnick wrote: >I am more concerned about stand alone daemons like sendmail, syslog, apache, >etc. A well written program could simply have a setuid wrapper like innd >that opens the socket, does a setuid() to some other user, then exec()s the >real program. If I do this I know my program will work on most UNIX boxes >in a reasonably secure way. Now if someone wanted to write a wrapper to >make this easy, and it ran on most if not all UNIX systems great. Most of these services could easily be modified to start from inetd as wait services. Basically, inetd does the port binding, setuid-ing, and execing, just like it always does. As I've mentioned before, sendmail can defintly run in this manner. So could most web servers. I did some playing around with syslog starting from inetd, and ran into a few problems which I need to read more syslogd and inetd code to work out (for example, inetd normally logs it's messages via syslog(3), what happens when it is the program starting syslogd?) to "what does inetd log to before syslog comes online. -- William To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811172014.OAA05291>