Date: Sat, 30 Sep 2000 18:37:14 -0400 From: "Brian F. Feldman" <green@FreeBSD.org> To: cjclark@alum.mit.edu Cc: security@FreeBSD.org Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <200009302237.e8UMbE544527@green.dyndns.org> In-Reply-To: Message from "Crist J . Clark" <cjclark@reflexnet.net> of "Sat, 30 Sep 2000 15:14:36 PDT." <20000930151436.D25121@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Crist J . Clark" <cjclark@reflexnet.net> wrote: > On Sat, Sep 30, 2000 at 04:22:46PM -0500, Mike Silbersack wrote: > > > > On Sat, 30 Sep 2000, Brian F. Feldman wrote: > > > > > That is, one can create their own jail (or just chroot(8)... I should > > > probably get user-chrooting reviewed ;) which they would use for running > > > potentially evil things -- like reading e-mail with pine. It's not too > > > difficult, but it's really easier just to switch to a better MUA. > > > > user-chrooting would be excellent. Chrooting MUAs / web browsers / etc > > would be a nice feature no matter how secure the program in question seems > > to be. If you get it implemented, I'll be the first to use the > > feature. :) > > Why not just run each program under a different user? From the > multi-user heritage of the OS, it is really good at keeping users from > messing with each other's stuff. You set up a user to read mail, a > user to browse, and a user to do whatever else is "risky." You can > have one not-too-super-super-user (that you never do anything to risky > with) who can access stuff from all of these individual users via > group permissions. Here is an example, you have groups, > > mymailer:*:2010:mysu > mysurfer:*:2020:mysu > mygamer:*:2030:mysu > > And each of those users has a 002 umask. From you mysu account you can > access everything. From mymailer, you can only screw up your mail > (something that chrooting would not get around either). > > This might be an admin nightmare for systems that _are_ being used for > true multi-user (more than one real person) systems. But for the > average home box or single-user desktop, this seems that it does all > chroot would do and then some with no extra hassles. > -- > Crist J. Clark cjclark@alum.mit.edu I was going to suggest this, where a compromise would result in a _different_ user losing all its stuff (you mail only?), but it would still allow remote users to mount local attacks against suid programs and such. In a chroot, the only attacks would be ptrace()-based or socket()-based... In a jail, you have maybe sysv*-based attacks. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009302237.e8UMbE544527>