From owner-freebsd-security Fri Jun 18 16:10:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.andrew.cmu.edu (SMTP1.ANDREW.CMU.EDU [128.2.10.81]) by hub.freebsd.org (Postfix) with ESMTP id DD1B0151C8 for ; Fri, 18 Jun 1999 16:09:58 -0700 (PDT) (envelope-from Harry_M_Leitzell@cmu.edu) Received: from unix49.andrew.cmu.edu (UNIX49.ANDREW.CMU.EDU [128.2.15.57]) by smtp1.andrew.cmu.edu (8.9.3/8.9.3) with SMTP id TAA13139; Fri, 18 Jun 1999 19:09:24 -0400 (EDT) Date: Fri, 18 Jun 1999 19:09:23 -0400 (EDT) From: "Harry M. Leitzell" X-Sender: Harry_M_Leitzell@unix49.andrew.cmu.edu To: Frank Tobin Cc: Kirill Nosov , freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, Frank Tobin wrote: > Kirill Nosov, at 12:08 on Fri, 18 Jun 1999, wrote: > > > But the idea discussed will allow to run daemons on priveleged ports > > under non-root priveleges. So you will create a user sendmail with 25 > > uid and only it will be able to bind to 25 port. That will allow to > > lower the probability of remote ( and local) root compromises. For > > sure this is a non-trivial configuration probl;em concerning to files > > ownership and groups formation but it looks like that result will be > > good. (But perhaps that will create another problem with 'priveleged > > uids' :) > > Hrm, that is a excellent idea could be added as an extra securelevel, such > as -2. During this time, any user can open a port. rc scripts can then > start up standard daemons, such as sshd, and then have them bind to > normally-privileged ports, with non-root privileges (well, sshd needs to > be root anyways). Then, when the rc scripts are done, the securelevel can > be raised to 4, which would allow noone, even root, to bind to > securelevels anymore. By doing both of these, we've accomplished less > root-privileged binaries _and_ trusted ports. > > Additionally, even if sshd was compromised as it ran as root, and the > attacker gained root access, he could do virtually nothing damaging > (except possibly some DOS) to the system, being in a high securelevel > state. This includes killing the current sshd, and starting a new one to > sniff passwords, as, as stated, the proposed securelevel would be set to > not allow the opening of trusted ports. Correct me if I am wrong, but that would make admining a running machine a rather large pain in the ass if every time a daemon stopped and had to be restarted you would have to reboot. [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] Harry M. Leitzell - Harry_M_Leitzell@cmu.edu Carnegie Mellon University Finger for PGP Public Key [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message