From owner-freebsd-security Mon Jul 7 11:53:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA01077 for security-outgoing; Mon, 7 Jul 1997 11:53:43 -0700 (PDT) Received: (from jmb@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA01057; Mon, 7 Jul 1997 11:53:34 -0700 (PDT) From: "Jonathan M. Bresler" Message-Id: <199707071853.LAA01057@hub.freebsd.org> Subject: Re: Security Model/Target for FreeBSD or 4.4? To: adam@homeport.org (Adam Shostack) Date: Mon, 7 Jul 1997 11:53:33 -0700 (PDT) Cc: rnw@andrew.cmu.edu, jmb@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, tech@openbsd.org In-Reply-To: <199707071803.OAA08144@homeport.org> from "Adam Shostack" at Jul 7, 97 02:03:46 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk hmm....from memory: jan simon-pendry created a filesystem called portals for just this purpose or allowing non-root processes access to low numbered ports using filesystem permissions. put sendmail as user sendmail and only let user sendmail read/write to port 25. teh 4.4BSD ssm (system ... manual) has a usenix paper on portals jmb Adam Shostack wrote: > > I brough up the idea of doing this on the openbsd list. We agreed > that there wasn't a clean way to do it. I'm experimenting with ways > of doing it, leaning towords a sysctl controlled list of port, gid > pairs. I don't know of anyone who has implemented it. > > The overhead should be pretty minimal. > > I chose not to depend on files, which is ugly, but not so ugly as > having the kernel depend on files during startup. > > The other thought that has occured to me, but I expect it to be more > expensive, is to use a packet filter with NAT capabilities to > translate port bindings to high numbers for appropriate daemons. > Since this has a per packet hit, I expect it to be very expensive on > an ongoing basis. > > Adam > > > > Robert N Watson wrote: > > | I've heard that OpenBSD now has a feature to allow non-root users to bind > | to <1024 ports. It would be nice to see something similar to that under > | FreeBSD -- half the daemons (not a verified figure) that run as root > | probably don't need root access, except to bind to the port (named, > | sendmail, web servers, etc.) I believe the OpenBSD implementation just > | gives this access to the daemon user (or something to that extent? Would > | love details), but perhaps we could go for something a little more > | sophisticated if it doesn't up the overhead too much on the kernel? A > | limited list of (port, user) (say a max of 64, except as configured in the > | kernel), and if the bind() call matches this for TCP, allow the program to > | bind, for example. An appropriate root-owned file (/etc/rc.conf?) could > | define those permissions in an ipfirewall-style setup, running early in > | the rc sequence.