Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Nov 1998 15:13:54 -0600
From:      William McVey <wam@sa.fedex.com>
To:        Matthew Dillon <dillon@apollo.backplane.com>
Cc:        Warner Losh <imp@village.org>, Andre Albsmeier <andre.albsmeier@mchp.siemens.de>, freebsd-security@FreeBSD.ORG, jkh@zippy.cdrom.com (Jordan K. Hubbard), dima@best.net (Dima Ruban)
Subject:   Re: Would this make FreeBSD more secure? & sendmail changes in OpenBSD 2.4
Message-ID:  <199811162114.PAA06569@s07.sa.fedex.com>

next in thread | raw e-mail | index | archive | help
In a thread titled "Would this make FreeBSD more secure?" Matthew Dillon wrote:
>    Ok, here is a proposal:
>    (1)Add a 'kmem' and 'tty' dummy user to /usr/src/etc/master.passwd.
>	Unfortunately, the operator uid is already using 2 (why it didn't
>	use 5 I'll never know), so give the kmem user uid 5 and the tty
>	user uid 4 (same as their groups except for the operator<>kmem
>	flip).

If we are adding standard ids to the password file, what do you think of 
adding the following loginids and groupids for services that can run 
standalone as unprivilged users (these are ones I've set up on my set of
machines, it'd be nice to "standardize" them):
	smtp (uid and gid of 25)
	www (uid and gid of 80)
	ftp (uid and gid of 21)
	tftp (uid and gid of 69)
	syslog (uid and gid of 514) 
		(another root daemon which probably doesn't need root, I
		just made the changes on one of my machines... I'll let the 
		list know how it works out.)

I've never like lumping different types services under "daemon" or "nobody".

>    (2)Change identd and ntalkd entries in inetd.conf to run ntalkd tty:tty
>	and identd kmem:kmem.
>
>    (3)Add an lp user and an lp group (what uid/gid ?).

I'd chose uid/gid 515, of course, you probably could have predicted that.
Not coincidentally, I start numbering users as 1025. :-)

>    (5) >
>	Use RCAPF_SETTIME to fix xntpd
>
>	Use TCAPF_LOWPORT to fix xntpd, lpd, bind, sendmail, and possibly
>	others. 

I'm not convinced that sendmail and lpd require TCAPF_LOWPORT.  I think 
inetd and the 'wait' attribute can do what they need, but I'm all for 
adding the solution as defined above.  It probably would be usefull for 
bind (which as a single process needs to bind to udp/53 as well as tcp/53).

>sendmail might still have to be run by root by default for
>	program pipes, but that's a different problem that I presume 
>	Eric Allman will work on at some point (such functionality should 
>	really be moved into mail.local, IMHO, I'll email Eric and see
>	what he has to say about it).

[ this is also directed to a running thread titled "sendmail changes in
  OpenBSD 2.4" ] 

I'm a fan of running a setuid root mail.local, executable by only
only group 'smtp'.  Sendmail invoked as a wait service out of inetd
as user/group of 'smtp'.  This avoids the potential misuse of the
delivery program by regular users (which are not in group 'smtp'),
allows sendmail to run unprivileged, and requires no code changes
to operate.

To strip the setuid root bit from the delivery agent will require 
the daemon to be privileged so that it can setuid to the user who's
mail is being handled.  I would say a setuid root program that no-one
but the MTA can execute is the lesser of two evils.

 -- William

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811162114.PAA06569>