From owner-freebsd-security@FreeBSD.ORG  Sat Mar  7 17:25:45 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4DC051065672
	for <freebsd-security@freebsd.org>;
	Sat,  7 Mar 2009 17:25:45 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42])
	by mx1.freebsd.org (Postfix) with ESMTP id EA0898FC17
	for <freebsd-security@freebsd.org>;
	Sat,  7 Mar 2009 17:25:44 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41])
	by cyrus.watson.org (Postfix) with ESMTPS id 8385A46B03;
	Sat,  7 Mar 2009 12:25:44 -0500 (EST)
Date: Sat, 7 Mar 2009 17:25:44 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Paige Thompson <erratic@devel.ws>
In-Reply-To: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com>
Message-ID: <alpine.BSF.2.00.0903071720250.1340@fledge.watson.org>
References: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-security@freebsd.org
Subject: Re: Trusted Path Execution
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2009 17:25:45 -0000


On Sun, 1 Mar 2009, Paige Thompson wrote:

> I would like to know that there is or is not a way to prevent users from 
> executing binaries that are not owned by root or that the user is in a 
> particular group. Is this something I can achieve with TrustedBSD's MAC 
> framework?

Hi Paige--

The ugidfw(8) file system firewall, and mac_bsdextended(4) kernel module it 
depends on, can be used to limit what binaries can be executed.  However, be 
aware that this may not affect memory mapping of shared libraries on platforms 
where there are not seperate read/execute bits, such as on i386.  You may want 
to combine this with the noexec flag, which our runtime linker is aware of and 
assists in enforcing for shared libraries.

Robert N M Watson
Computer Laboratory
University of Cambridge