From owner-freebsd-security  Sat Nov 13 19:55: 2 1999
Delivered-To: freebsd-security@freebsd.org
Received: from trooper.velocet.net (trooper.velocet.net [216.126.82.226])
	by hub.freebsd.org (Postfix) with ESMTP id F375915272
	for <security@FreeBSD.ORG>; Sat, 13 Nov 1999 19:54:57 -0800 (PST)
	(envelope-from dgilbert@trooper.velocet.net)
Received: (from dgilbert@localhost)
	by trooper.velocet.net (8.9.3/8.9.3) id WAA04633;
	Sat, 13 Nov 1999 22:54:49 -0500 (EST)
	(envelope-from dgilbert)
From: David Gilbert <dgilbert@velocet.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14382.12936.936602.17527@trooper.velocet.net>
Date: Sat, 13 Nov 1999 22:54:48 -0500 (EST)
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: David Gilbert <dgilbert@velocet.ca>, security@FreeBSD.ORG
Subject: Re: sandboxed bind.
In-Reply-To: <199911140344.TAA32979@apollo.backplane.com>
References: <bulk.47978.19991113192456@hub.freebsd.org>
	<14382.11991.536272.989358@trooper.velocet.net>
	<199911140344.TAA32979@apollo.backplane.com>
X-Mailer: VM 6.75 under 20.4 "Emerald" XEmacs  Lucid
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>>>>> "Matthew" == Matthew Dillon <dillon@apollo.backplane.com> writes:

Matthew>     I don't use chrooted environments myself... I used to but
Matthew> they're just too difficult to maintain across updates and
Matthew> other things.  It would be nice if there were something
Matthew> inbetween -- something that, for example, disables suid and
Matthew> sgid within a set of processes that works in a manner similar
Matthew> to a chroot'd environment.  Without access to suid/sgid
Matthew> binaries there is precious little a program run in a
Matthew> user/group sandbox can do outside the sandbox.

Well... you use the tools at hand to protect yourself as best you
can...

This naturally leads into a discussion (had many times, I'm sure)
about an entire rethinking of the UN*X security model.  The permanent
givaway of privs is a good idea... as is the ability to have some
privs without all of them.

I've often thought that the ability to change to an arbitrary user
that login does could be structured without login being root, for
instance.

Dave.

-- 
============================================================================
|David Gilbert, Velocet Communications.       | Two things can only be     |
|Mail:       dgilbert@velocet.net             |  equal if and only if they |
|http://www.velocet.net/~dgilbert             |   are precisely opposite.  |
=========================================================GLO================


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message