From owner-freebsd-hackers@FreeBSD.ORG Fri Aug 22 00:40:40 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3CA516A4BF for ; Fri, 22 Aug 2003 00:40:39 -0700 (PDT) Received: from cirb503493.alcatel.com.au (c211-28-27-130.belrs2.nsw.optusnet.com.au [211.28.27.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id F057C43FE0 for ; Fri, 22 Aug 2003 00:40:37 -0700 (PDT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])h7M7eWgh085566; Fri, 22 Aug 2003 17:40:32 +1000 (EST) (envelope-from jeremyp@cirb503493.alcatel.com.au) Received: (from jeremyp@localhost) by cirb503493.alcatel.com.au (8.12.8/8.12.8/Submit) id h7M7eN2U085565; Fri, 22 Aug 2003 17:40:23 +1000 (EST) Date: Fri, 22 Aug 2003 17:40:23 +1000 From: Peter Jeremy To: Pawel Jakub Dawidek Message-ID: <20030822074023.GA85534@cirb503493.alcatel.com.au> References: <20030817181315.GL55671@episec.com> <20030821065854.GA11586@dan.emsphone.com> <20030821125028.GY55671@episec.com> <20030821162156.GL47959@garage.freebsd.pl> <20030821170915.GZ55671@episec.com> <20030821204403.GN47959@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030821204403.GN47959@garage.freebsd.pl> User-Agent: Mutt/1.4.1i cc: flowpriv@episec.com cc: freebsd-hackers@freebsd.org cc: ari Subject: Re: [future patch] dropping user privileges on demand X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2003 07:40:40 -0000 On Thu, Aug 21, 2003 at 10:44:03PM +0200, Pawel Jakub Dawidek wrote: >On Thu, Aug 21, 2003 at 01:09:15PM -0400, ari wrote: >+> [...] The programmer >+> should be able to drop filesystem creation permissions, without worrying >+> about the need to drop open, mkfifo, bind, link, symlink, mkdir, and any >+> other system calls that happen to be available in this particular kernel >+> version. [...] > >In CerbNG you only need to write a macro like: > > #define DROP_FS_CREATION() \ > if (syscall == SYS_open || syscall == SYS_mkfifo || \ > syscall == SYS_bind || syscall == SYS_link || ...) { \ > return (EPERM); \ > } Unless 'syscall' can be evaluated at compile time, this approach adds overhead whereever it is used - and the overhead gets worse as the number of system calls in the set increases. A particular problem is that the overhead is worst for system calls that aren't caught (in the above, the overhead for open() is trivial but write() would need to go through each of the tests). A bit-vector provides constant overhead but it's still fairly expensive unless the relevant parts of the vector are already cached. >As I said. Stuff like systrace or cerb doesn't need to be standarized, >because it is transparent for applications. It doesn't need any work from >userland application programmer. That's why it is easy to addopt for >non-BSD-licensed applications or even for non-open-source applications. This isn't good enough. It _does_ need to be standardised so that the administrator doesn't have to learn N radically different approaches to secure a system. As far as the userland application programmer is concerned, there's very little difference between any flavour of Un*x. There are massive differences between them when it comes to administration. Peter