From owner-freebsd-security  Fri Aug 14 03:34:24 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA02280
          for freebsd-security-outgoing; Fri, 14 Aug 1998 03:34:24 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA02267
          for <freebsd-security@freebsd.org>; Fri, 14 Aug 1998 03:34:22 -0700 (PDT)
          (envelope-from regnauld@deepo.prosa.dk)
Received: from mail.prosa.dk ([192.168.100.254])
	by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id MAA17244
	for <freebsd-security@freebsd.org>; Fri, 14 Aug 1998 12:39:06 +0200 (CEST)
	(envelope-from regnauld@deepo.prosa.dk)
Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10])
	by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id MAA20454
	for <freebsd-security@freebsd.org>; Fri, 14 Aug 1998 12:41:25 +0200 (CEST)
Received: (from regnauld@localhost)
	by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id MAA06165;
	Fri, 14 Aug 1998 12:32:40 +0200 (CEST)
Message-ID: <19980814123240.63855@deepo.prosa.dk>
Date: Fri, 14 Aug 1998 12:32:40 +0200
From: Philippe Regnauld <regnauld@deepo.prosa.dk>
To: freebsd-security@FreeBSD.ORG
Subject: Fwd: "Using capabilties aaginst shell code" <dps@IO.STARGATE.CO.UK>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.88e
X-Operating-System: FreeBSD 2.2.6-RELEASE i386
Phone: +45 3336 4148
Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark
Organization: PROSA
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

	(see message below)

	Is this any form of restriction that can be implemented 
	in *BSD systems ?  I.e.: restricting system calls to
	certain classes of daemons ?

	As mentioned in the example below, why should POPd be allowed
	to exec() ?  This seems like a very sane approach (of course,
	it implies knowledge/auditing of the code).

	Then we could have certain untrusted (i.e.: running as
	root) daemons launched in such an environment, on top
	of being chroot()ed.

-----Forwarded message from Duncan Simpson <dps@IO.STARGATE.CO.UK>-----

From: Duncan Simpson <dps@IO.STARGATE.CO.UK>
Subject:      Using capabilties aaginst shell code
To: BUGTRAQ@NETSPACE.ORG
Date:         Wed, 12 Aug 1998 21:33:51 +0200


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



The development of capabilities with Linux (and some section of POSIX, if the
header is to be believed) creates an opportunity for tightening security by
sandboxing daemons---imapd and popd have no legitimate use for various system
calls, for example. In particular exec is fundamental to most buffer overrun
shellcode and not required by many daemons.

	[...]

-----End of forwarded message-----

-- 
 -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-

               The Internet is busy.  Please try again later.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message