From owner-freebsd-security Mon Jul 7 11:06:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA27818 for security-outgoing; Mon, 7 Jul 1997 11:06:47 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA27809; Mon, 7 Jul 1997 11:06:43 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id OAA08144; Mon, 7 Jul 1997 14:03:46 -0400 (EDT) From: Adam Shostack Message-Id: <199707071803.OAA08144@homeport.org> Subject: Re: Security Model/Target for FreeBSD or 4.4? In-Reply-To: from Robert N Watson at "Jul 7, 97 01:08:32 pm" To: rnw@andrew.cmu.edu (Robert N Watson) Date: Mon, 7 Jul 1997 14:03:46 -0400 (EDT) Cc: jmb@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, tech@openbsd.org (OpenBSD Mailing List) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I brough up the idea of doing this on the openbsd list. We agreed that there wasn't a clean way to do it. I'm experimenting with ways of doing it, leaning towords a sysctl controlled list of port, gid pairs. I don't know of anyone who has implemented it. The overhead should be pretty minimal. I chose not to depend on files, which is ugly, but not so ugly as having the kernel depend on files during startup. The other thought that has occured to me, but I expect it to be more expensive, is to use a packet filter with NAT capabilities to translate port bindings to high numbers for appropriate daemons. Since this has a per packet hit, I expect it to be very expensive on an ongoing basis. Adam Robert N Watson wrote: | I've heard that OpenBSD now has a feature to allow non-root users to bind | to <1024 ports. It would be nice to see something similar to that under | FreeBSD -- half the daemons (not a verified figure) that run as root | probably don't need root access, except to bind to the port (named, | sendmail, web servers, etc.) I believe the OpenBSD implementation just | gives this access to the daemon user (or something to that extent? Would | love details), but perhaps we could go for something a little more | sophisticated if it doesn't up the overhead too much on the kernel? A | limited list of (port, user) (say a max of 64, except as configured in the | kernel), and if the bind() call matches this for TCP, allow the program to | bind, for example. An appropriate root-owned file (/etc/rc.conf?) could | define those permissions in an ipfirewall-style setup, running early in | the rc sequence. | This would potentially open up more holes as extra configuration files | have to be monitored, and add more overhead on bind() calls, not to | mention adding a configuration mechanism, but not suffering from the | numerous problems involving daemons running as root (without having to | rewrite all the daemons) would be nice. Even the single-user | unconfigurable approach (root and daemon can bind) would be better than | nothing. | | Just a thought.. | | Robert Watson | -- He has erected a multitude of new offices, and sent hither swarms of officers to harrass our people, and eat out their substance.