From owner-freebsd-security  Sat Sep 30 15:15: 5 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP
	id DFB4337B503; Sat, 30 Sep 2000 15:14:59 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Sat, 30 Sep 2000 15:13:30 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8UMEa847588;
	Sat, 30 Sep 2000 15:14:36 -0700 (PDT)
	(envelope-from cjc)
Date: Sat, 30 Sep 2000 15:14:36 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Mike Silbersack <silby@silby.com>
Cc: "Brian F. Feldman" <green@FreeBSD.ORG>,
	Warner Losh <imp@village.org>,
	Jordan Hubbard <jkh@winston.osd.bsdi.com>,
	Roman Shterenzon <roman@xpert.com>, Kris Kennaway <kris@FreeBSD.ORG>,
	security@FreeBSD.ORG
Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd)
Message-ID: <20000930151436.D25121@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <200009301842.e8UIgA543368@green.dyndns.org> <Pine.BSF.4.21.0009301619010.23864-100000@achilles.silby.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.21.0009301619010.23864-100000@achilles.silby.com>; from silby@silby.com on Sat, Sep 30, 2000 at 04:22:46PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, Sep 30, 2000 at 04:22:46PM -0500, Mike Silbersack wrote:
> 
> On Sat, 30 Sep 2000, Brian F. Feldman wrote:
> 
> > That is, one can create their own jail (or just chroot(8)... I should 
> > probably get user-chrooting reviewed ;) which they would use for running 
> > potentially evil things -- like reading e-mail with pine.  It's not too 
> > difficult, but it's really easier just to switch to a better MUA.
> 
> user-chrooting would be excellent.  Chrooting MUAs / web browsers / etc
> would be a nice feature no matter how secure the program in question seems
> to be.  If you get it implemented, I'll be the first to use the
> feature. :)

Why not just run each program under a different user? From the
multi-user heritage of the OS, it is really good at keeping users from
messing with each other's stuff. You set up a user to read mail, a
user to browse, and a user to do whatever else is "risky." You can
have one not-too-super-super-user (that you never do anything to risky
with) who can access stuff from all of these individual users via
group permissions. Here is an example, you have groups,

  mymailer:*:2010:mysu
  mysurfer:*:2020:mysu
  mygamer:*:2030:mysu

And each of those users has a 002 umask. From you mysu account you can
access everything. From mymailer, you can only screw up your mail
(something that chrooting would not get around either).

This might be an admin nightmare for systems that _are_ being used for
true multi-user (more than one real person) systems. But for the
average home box or single-user desktop, this seems that it does all
chroot would do and then some with no extra hassles.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message