From owner-freebsd-security Fri Jun 18 1:34:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id 3E4A614F6F for ; Fri, 18 Jun 1999 01:34:54 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 55924 invoked by uid 1000); 18 Jun 1999 08:34:52 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Jun 1999 08:34:52 -0000 Date: Fri, 18 Jun 1999 03:34:52 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu To: Kirill Nosov Cc: freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr In-Reply-To: <99061812174202.10975@MirStation.leontief.nw.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kirill Nosov, at 12:08 on Fri, 18 Jun 1999, wrote: > But the idea discussed will allow to run daemons on priveleged ports > under non-root priveleges. So you will create a user sendmail with 25 > uid and only it will be able to bind to 25 port. That will allow to > lower the probability of remote ( and local) root compromises. For > sure this is a non-trivial configuration probl;em concerning to files > ownership and groups formation but it looks like that result will be > good. (But perhaps that will create another problem with 'priveleged > uids' :) Hrm, that is a excellent idea could be added as an extra securelevel, such as -2. During this time, any user can open a port. rc scripts can then start up standard daemons, such as sshd, and then have them bind to normally-privileged ports, with non-root privileges (well, sshd needs to be root anyways). Then, when the rc scripts are done, the securelevel can be raised to 4, which would allow noone, even root, to bind to securelevels anymore. By doing both of these, we've accomplished less root-privileged binaries _and_ trusted ports. Additionally, even if sshd was compromised as it ran as root, and the attacker gained root access, he could do virtually nothing damaging (except possibly some DOS) to the system, being in a high securelevel state. This includes killing the current sshd, and starting a new one to sniff passwords, as, as stated, the proposed securelevel would be set to not allow the opening of trusted ports. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message