From owner-freebsd-security  Fri Jun 18 16:10:19 1999
Delivered-To: freebsd-security@freebsd.org
Received: from smtp1.andrew.cmu.edu (SMTP1.ANDREW.CMU.EDU [128.2.10.81])
	by hub.freebsd.org (Postfix) with ESMTP id DD1B0151C8
	for <freebsd-security@FreeBSD.ORG>; Fri, 18 Jun 1999 16:09:58 -0700 (PDT)
	(envelope-from Harry_M_Leitzell@cmu.edu)
Received: from unix49.andrew.cmu.edu (UNIX49.ANDREW.CMU.EDU [128.2.15.57])
	by smtp1.andrew.cmu.edu (8.9.3/8.9.3) with SMTP id TAA13139;
	Fri, 18 Jun 1999 19:09:24 -0400 (EDT)
Date: Fri, 18 Jun 1999 19:09:23 -0400 (EDT)
From: "Harry M. Leitzell" <Harry_M_Leitzell@cmu.edu>
X-Sender: Harry_M_Leitzell@unix49.andrew.cmu.edu
To: Frank Tobin <ftobin@bigfoot.com>
Cc: Kirill Nosov <slash@leontief.net>, freebsd-security@FreeBSD.ORG
Subject: Re: securelevel descr
In-Reply-To: <Pine.BSF.4.10.9906180326180.55914-100000@srh0710.urh.uiuc.edu>
Message-ID: <Pine.LNX.3.96L.990618190730.5293A-100000@unix49.andrew.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 18 Jun 1999, Frank Tobin wrote:

> Kirill Nosov, at 12:08 on Fri, 18 Jun 1999, wrote:
> 
> > But the idea discussed will allow to run daemons on priveleged ports
> > under non-root priveleges. So you will create a user sendmail with 25
> > uid and only it will be able to bind to 25 port. That will allow to
> > lower the probability of remote ( and local) root compromises. For
> > sure this is a non-trivial configuration probl;em concerning to files
> > ownership and groups formation but it looks like that result will be
> > good. (But perhaps that will create another problem with 'priveleged
> > uids' :)
> 
> Hrm, that is a excellent idea could be added as an extra securelevel, such
> as -2.  During this time, any user can open a port.  rc scripts can then
> start up standard daemons, such as sshd, and then have them bind to
> normally-privileged ports, with non-root privileges (well, sshd needs to
> be root anyways). Then, when the rc scripts are done, the securelevel can
> be raised to 4, which would allow noone, even root, to bind to
> securelevels anymore.  By doing both of these, we've accomplished less
> root-privileged binaries _and_ trusted ports.
> 
> Additionally, even if sshd was compromised as it ran as root, and the
> attacker gained root access, he could do virtually nothing damaging
> (except possibly some DOS) to the system, being in a high securelevel
> state.  This includes killing the current sshd, and starting a new one to
> sniff passwords, as, as stated, the proposed securelevel would be set to
> not allow the opening of trusted ports.

	Correct me if I am wrong, but that would make admining a running
machine a rather large pain in the ass if every time a daemon stopped and
had to be restarted you would have to reboot.

[-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-]
	Harry M. Leitzell - Harry_M_Leitzell@cmu.edu
		Carnegie Mellon University
		Finger for PGP Public Key
[-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message