From owner-freebsd-security  Tue Jul  7 06:19:43 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA24292
          for freebsd-security-outgoing; Tue, 7 Jul 1998 06:19:43 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA24287
          for <security@FreeBSD.ORG>; Tue, 7 Jul 1998 06:19:42 -0700 (PDT)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA10471;
	Tue, 7 Jul 1998 09:19:23 -0400 (EDT)
Date: Tue, 7 Jul 1998 09:19:23 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Niall Smart <rotel@indigo.ie>
cc: Andrew McNaughton <andrew@squiz.co.nz>, security@FreeBSD.ORG
Subject: Re: bsd securelevel patch question
In-Reply-To: <199807052106.WAA04694@indigo.ie>
Message-ID: <Pine.BSF.3.96.980707084611.10343A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 5 Jul 1998, Niall Smart wrote:

> On Jul 3,  4:26am, Andrew McNaughton wrote:
> } Subject: Re: bsd securelevel patch question
> > >Eh?  If ssh/smtp/inetd bind to the port you won't be able to, no
> > >matter how often you try.
> > 
> > Unless the server is restarted for some reason.  hence the rapid cron job
> > which will eventually succeed if not detected first.
> 
> Well, this should be detected, and is easily detectable.

"detectable" is not acceptable in most real-world environments.  Suppose I
know you will be upgrading ssh at a certain time of day due to your
announcement that incoming ssh service will not be available during that
time period (a common arrangement where customers are involved --
notifying them of downtimes for commonly used services).  I agree that
privilege would have to be allocated on a per-port basis, as my access to
most of my servers is only via the network -- I cannot afford to "detect"
someone replacing a key daemon (nfsd) on a server because they managed to
subvert a CGI script.  The case of Java Servlets is actually a little more
serious --  ServLets run inside the web server's process.  Similarly, a
buffer overflow in apache should not give me that ability.  Having a bulk
"can bind <1024 on protocol TCP" privilege is too broad, and gains very
little.

  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message