From owner-freebsd-security  Mon Jul  7 13:05:46 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id NAA04918
          for security-outgoing; Mon, 7 Jul 1997 13:05:46 -0700 (PDT)
Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA04913
          for <security@FreeBSD.ORG>; Mon, 7 Jul 1997 13:05:42 -0700 (PDT)
Received: from localhost (robert@localhost)
	by cyrus.watson.org (8.8.5/8.8.5) with SMTP id QAA03342;
	Mon, 7 Jul 1997 16:05:07 -0400 (EDT)
Date: Mon, 7 Jul 1997 16:05:07 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
To: Sean Eric Fagan <sef@kithrup.com>
cc: security@FreeBSD.ORG
Subject: Re: Security Model/Target for FreeBSD or 4.4?
In-Reply-To: <199707071837.LAA23476@kithrup.com>
Message-ID: <Pine.BSF.3.95q.970707153631.3248B-100000@cyrus.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk



On Mon, 7 Jul 1997, Sean Eric Fagan wrote:

> [...]
> 
> This was discussed here a few months ago (a year ago?).  It would have been
> something along the lines of:
> 
> 	net.inet.ip.<portnumber> <uid>
> 
> and then using it like
> 
> 	sysctl -w net.inet.ip.25=`id smtp`
> 
> or somesuch.

Unfortunately, that doesn't address the distinction between TCP and UDP
services..  I'm not sure that is a huge issue, but it seems relevant.  The
formatting for this is looking more an more like an ipfirewall config
file.  I wonder if  the similarities between the interfaces could be
merged in some way?

Also, since we're looking at putting permissions on port-binding, are
there any other related resources or capabilities under BSD that are not
limited by the current restrictions?  Various types of socket
communication don't appear to be.  

On a related note, has anyone given any thought to making chroot() a
user-accessible call?  I haven't really looked at it, so am not sure why
it can only be called by uid root programs.  In terms of sandboxing (which
seems to be popular these days for various applications), it would be nice
to restrict programs to specific regions of the disk, etc.  Especially if
you are a non-root user developing programs that require special
libraries, etc.  Or if you want to run a restricted web or ftp server, but
don't have root access (as hopefully would be the case with the lighter
restrictions on binding ports <1024.)  

Robert