Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Jun 1999 19:09:23 -0400 (EDT)
From:      "Harry M. Leitzell" <Harry_M_Leitzell@cmu.edu>
To:        Frank Tobin <ftobin@bigfoot.com>
Cc:        Kirill Nosov <slash@leontief.net>, freebsd-security@FreeBSD.ORG
Subject:   Re: securelevel descr
Message-ID:  <Pine.LNX.3.96L.990618190730.5293A-100000@unix49.andrew.cmu.edu>
In-Reply-To: <Pine.BSF.4.10.9906180326180.55914-100000@srh0710.urh.uiuc.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Jun 1999, Frank Tobin wrote:

> Kirill Nosov, at 12:08 on Fri, 18 Jun 1999, wrote:
> 
> > But the idea discussed will allow to run daemons on priveleged ports
> > under non-root priveleges. So you will create a user sendmail with 25
> > uid and only it will be able to bind to 25 port. That will allow to
> > lower the probability of remote ( and local) root compromises. For
> > sure this is a non-trivial configuration probl;em concerning to files
> > ownership and groups formation but it looks like that result will be
> > good. (But perhaps that will create another problem with 'priveleged
> > uids' :)
> 
> Hrm, that is a excellent idea could be added as an extra securelevel, such
> as -2.  During this time, any user can open a port.  rc scripts can then
> start up standard daemons, such as sshd, and then have them bind to
> normally-privileged ports, with non-root privileges (well, sshd needs to
> be root anyways). Then, when the rc scripts are done, the securelevel can
> be raised to 4, which would allow noone, even root, to bind to
> securelevels anymore.  By doing both of these, we've accomplished less
> root-privileged binaries _and_ trusted ports.
> 
> Additionally, even if sshd was compromised as it ran as root, and the
> attacker gained root access, he could do virtually nothing damaging
> (except possibly some DOS) to the system, being in a high securelevel
> state.  This includes killing the current sshd, and starting a new one to
> sniff passwords, as, as stated, the proposed securelevel would be set to
> not allow the opening of trusted ports.

	Correct me if I am wrong, but that would make admining a running
machine a rather large pain in the ass if every time a daemon stopped and
had to be restarted you would have to reboot.

[-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-]
	Harry M. Leitzell - Harry_M_Leitzell@cmu.edu
		Carnegie Mellon University
		Finger for PGP Public Key
[-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.96L.990618190730.5293A-100000>