Security through Permissiveness: A Zen Riddle?

• Previous message: Greg KH: "Re: Security hooks, "standard linux security" & embedded use"
• Next in thread: Jesse Pollard: "Re: Security through Permissiveness: A Zen Riddle?"
• Reply: Jesse Pollard: "Re: Security through Permissiveness: A Zen Riddle?"
• Reply: Chris Wright: "Re: Security through Permissiveness: A Zen Riddle?"
• Reply: sarnoldat_private: "Re: Security through Permissiveness: A Zen Riddle?"
• Reply: KRAMER,STEVEN (HP-USA,ex1): "RE: Security through Permissiveness: A Zen Riddle?"
• Reply: KRAMER,STEVEN (HP-USA,ex1): "RE: Security through Permissiveness: A Zen Riddle?"
• Reply: Jesse Pollard: "Re: Security through Permissiveness: A Zen Riddle?"
• Reply: Tim Hollebeek: "RE: Security through Permissiveness: A Zen Riddle?"
• Reply: Jesse Pollard: "RE: Security through Permissiveness: A Zen Riddle?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Security Gurus,

Okay, I admit I haven't actually downloaded any LSM kernel patches.  And
I wasn't at the BOF.  In fact, I've only ever submitted a single (one
line!) patch to the kernel.  So my concerns may be totally unfounded....

Nevertheless, I consider one of the biggest problems with Unix security
that root permission is required by network daemons.  Consider:

NTP              - bind(), settimeofday()/adjtime()
FTP/DNS          - bind(), possibly chroot() and setuid()
SMTP/POP/IMAP    - bind(), read/write user's mail folders
SSH              - bind(), setuid()
DHCP             - bind() (and promiscous mode?)
HTTP/IRC/syslog  - bind()

Now in some cases the application can setuid() to a non-root user, but
not always (NTP, non-anonymous FTP, SMTP/POP/IMAP).  In the most other
cases, the application can drop capabilities, but this is not always
true (for SSH at least).  This does make having applications reset on
SIGHUP difficult sometimes.  More importantly, it violates the goal of
assigning the least amount of privilege necessary to accomplish a
specific task.

I've seen it said over and over on this list:  security is hard and
often programmers get it wrong simply because they're not security
experts.  I agree!

I've touched on this before, but I figure I may as well keep trying
until I get an answer:  Is it possible to create an LSM with the current
proposed model that will allow me to grant only a small subset of root
privileges to a specific executable?  If not, is there another way to go
about this (perhaps by using other hooks and dropping privileges for the
processes - i.e. when exec() runs "ntpd" drop all privileges except for
bind() and adjtime(), and when that process calls bind() drop that
privilege - yuck)?

In my mind, this is "permissive", and folks don't want to do that.  I
think that may be a mistake - does that make any sense?

Nervously yours,
Shane

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Jesse Pollard: "Re: Security through Permissiveness: A Zen Riddle?"
• Previous message: Greg KH: "Re: Security hooks, "standard linux security" & embedded use"
• Next in thread: Jesse Pollard: "Re: Security through Permissiveness: A Zen Riddle?"
• Reply: Jesse Pollard: "Re: Security through Permissiveness: A Zen Riddle?"
• Reply: Chris Wright: "Re: Security through Permissiveness: A Zen Riddle?"
• Reply: sarnoldat_private: "Re: Security through Permissiveness: A Zen Riddle?"
• Reply: KRAMER,STEVEN (HP-USA,ex1): "RE: Security through Permissiveness: A Zen Riddle?"
• Reply: KRAMER,STEVEN (HP-USA,ex1): "RE: Security through Permissiveness: A Zen Riddle?"
• Reply: Jesse Pollard: "Re: Security through Permissiveness: A Zen Riddle?"
• Reply: Tim Hollebeek: "RE: Security through Permissiveness: A Zen Riddle?"
• Reply: Jesse Pollard: "RE: Security through Permissiveness: A Zen Riddle?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 12:23:23 PDT