From owner-freebsd-security  Fri Jun 19 20:10:40 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA28991
          for freebsd-security-outgoing; Fri, 19 Jun 1998 20:10:40 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA28948
          for <security@FreeBSD.ORG>; Fri, 19 Jun 1998 20:10:34 -0700 (PDT)
          (envelope-from easmith@beatrice.rutgers.edu)
Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id XAA29127; Fri, 19 Jun 1998 23:07:42 -0400 (EDT)
From: "Allen Smith" <easmith@beatrice.rutgers.edu>
Message-Id: <9806192307.ZM29126@beatrice.rutgers.edu>
Date: Fri, 19 Jun 1998 23:07:42 -0400
In-Reply-To: David Greenman <dg@root.com>    "Re: bsd securelevel patch question" (Jun 14,  6:38pm)
References: <199806150138.SAA06234@implode.root.com>
X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail)
To: dg@root.com, njs3@doc.ic.ac.uk (Niall Smart)
Subject: Re: bsd securelevel patch question
Cc: dima@best.net, security@FreeBSD.ORG, abc@ralph.ml.org, tqbf@secnet.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jun 14,  6:38pm, David Greenman (possibly) wrote:
> > - implement a capabilities-based security model; even this isn't
> >   fool-proof.
> 
>    As a former VMS developer, I've been wanting to do that for years in
> FreeBSD. login.conf seems like the ideal place to build the privilege
> list and the changes to the kernel aren't very difficult, just tedious.
> One of these days...

Why are you wanting to do it via login.conf, instead of via multiple
groups? I'm asking because I'm looking at doing this for ICMP sockets
(raw sockets limited to ICMP) so that programs such as ping, squid's
pinger, etcetera can be setgid as opposed to setuid. (This is
discussed in much detail on

	http://www.enteract.com/~tqbf/harden.html

which is why I'm ccing him.)

	Thanks,
	-Allen

-- 
Allen Smith				easmith@beatrice.rutgers.edu
	

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message