Date: Fri, 18 Jun 1999 19:09:23 -0400 (EDT) From: "Harry M. Leitzell" <Harry_M_Leitzell@cmu.edu> To: Frank Tobin <ftobin@bigfoot.com> Cc: Kirill Nosov <slash@leontief.net>, freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr Message-ID: <Pine.LNX.3.96L.990618190730.5293A-100000@unix49.andrew.cmu.edu> In-Reply-To: <Pine.BSF.4.10.9906180326180.55914-100000@srh0710.urh.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Jun 1999, Frank Tobin wrote: > Kirill Nosov, at 12:08 on Fri, 18 Jun 1999, wrote: > > > But the idea discussed will allow to run daemons on priveleged ports > > under non-root priveleges. So you will create a user sendmail with 25 > > uid and only it will be able to bind to 25 port. That will allow to > > lower the probability of remote ( and local) root compromises. For > > sure this is a non-trivial configuration probl;em concerning to files > > ownership and groups formation but it looks like that result will be > > good. (But perhaps that will create another problem with 'priveleged > > uids' :) > > Hrm, that is a excellent idea could be added as an extra securelevel, such > as -2. During this time, any user can open a port. rc scripts can then > start up standard daemons, such as sshd, and then have them bind to > normally-privileged ports, with non-root privileges (well, sshd needs to > be root anyways). Then, when the rc scripts are done, the securelevel can > be raised to 4, which would allow noone, even root, to bind to > securelevels anymore. By doing both of these, we've accomplished less > root-privileged binaries _and_ trusted ports. > > Additionally, even if sshd was compromised as it ran as root, and the > attacker gained root access, he could do virtually nothing damaging > (except possibly some DOS) to the system, being in a high securelevel > state. This includes killing the current sshd, and starting a new one to > sniff passwords, as, as stated, the proposed securelevel would be set to > not allow the opening of trusted ports. Correct me if I am wrong, but that would make admining a running machine a rather large pain in the ass if every time a daemon stopped and had to be restarted you would have to reboot. [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] Harry M. Leitzell - Harry_M_Leitzell@cmu.edu Carnegie Mellon University Finger for PGP Public Key [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.96L.990618190730.5293A-100000>