From owner-freebsd-security  Sun Jul 12 15:02:56 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA17363
          for freebsd-security-outgoing; Sun, 12 Jul 1998 15:02:56 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from obie.softweyr.com ([204.68.178.33])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA17358
          for <security@freebsd.org>; Sun, 12 Jul 1998 15:02:52 -0700 (PDT)
          (envelope-from wes@softweyr.com)
Received: from obie.softweyr.com (zaphod.softweyr.com [204.68.178.35])
	by obie.softweyr.com (8.8.8/8.8.8) with SMTP id PAA10573;
	Sun, 12 Jul 1998 15:59:50 -0600 (MDT)
	(envelope-from wes@softweyr.com)
Date: Sun, 12 Jul 1998 15:59:50 -0600 (MDT)
Message-Id: <199807122159.PAA10573@obie.softweyr.com>
Subject: Re: RootRunner (admin GUI w/o security holes?)
From: Wes Peters <wes@softweyr.com>
To: kgor@ksg.com, andrew@squiz.co.nz
Cc: jehamby@manta.jpl.nasa.gov, 026809r@dragon.acadiau.ca,
        security@FreeBSD.ORG
Reply-To: Wes Peters <wes@softweyr.com>
In-Reply-To: <Pine.BSF.3.96.980712163039.11489A-100000@aniwa.sky>
References: <Pine.BSF.3.96.980712163039.11489A-100000@aniwa.sky>
X-Priority: 3 (Normal)
X-Mailer: BeatWare Mail-It 1.6
X-BeOS-Platform: Intel or clone
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id PAA17359
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

My hidden microphone recorded Andrew McNaughton (andrew@squiz.co.nz) saying:

% I suspect the only way to get a uid = 0 backend and a uid != 0 frontend
% is to run them as separate processes with some sort of communication
% channel.

It's certainly the only good way.  It is important to secure the communication 
channel also; you'd be surprised what you can find in the clear snooping 
unix-domain sockets and the like.  Contrary to what many will tell you, even a 
simple encryption or ENCODING method will dissuade most of your potential 
attackers; they'll go look for other "low-hanging fruit."

If you make your standard communications channel a TCP socket, you're building 
in remote administration capabilities from the start.  You have to pay 
attention to authentication and communication security, but you really need to 
do that anyhow, so why shy away from it at the start?

--
       "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                 Softweyr LLC
http://www.softweyr.com/~softweyr                      wes@softweyr.com           




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message