Re: Minimizing the number of "setuid root" daemons

From: Juha Laiho (Juha.Laiho@iki.fi)
Date: 12/15/02 

From: Juha Laiho <Juha.Laiho@iki.fi>
Date: Sun, 15 Dec 2002 10:12:01 GMT

info_ns3@sundialservices.com said:
>What I /want/ is to be able to define flexible security-rules that would
>allow me to specify exactly what a particular privileged program can and
>cannot do. For example, "mail" might need to open Mail directories in
>various places but I'd like to specify a regular-expression governing
>exactly what files it may open and so on.

Do you really know what all is required?

Consider normal operation of sendmail - below are the issues that
I can think of right now:

startup:
- reads its own configuration
  (/etc/nsswitch.conf may be included)
  - possibly prepares to open sockets to f.ex. LDAP server,
    if configured to use LDAP for certain things
- reads system timezone configuration
- reads system DNS configuration
  (/etc/nsswitch.conf, /etc/resolv.conf)
- makes some DNS queries (to verify local hostname, etc)

mail reception:
- looks through various databases (mostly sendmail-
  specific files; LDAP connections may also happen at this point)
  - can look through /etc/passwd or whatever the system uses as the
    local account database
- can make various DNS queries (to verify the mail origin, perhaps
  to query blacklisted addresses)
- reads $HOME/.forward (with some alternative names) file of the
  receiving account
  - these may imply reading of other files, or even executing programs
    (and these files/programs can be something that were added to the
     .forward a second (or a microsecond..) before the message arrived)
- on Linux, will by default run procmail as the local delivery agent
  (... but, depending on your configuration can do something else)
  - procmail will then process another set of files (incl. the recipient
    mailbox)
- can send some mail back to the sender of the original message
  (delivery receipts)
- can, in some cases, file the message into the system-wide dead-letter
  file

I'll skip thinking of what all can be accessed when sending mail - and
I'm far from confident that I really included all relevant steps in the
above list. Another issue is, some files are opened through library
calls - so you can't get any indication of the file operation from
reading the sendmail source (and I suspect you're not prepared to read
through the full source of sendmail -- or any other mail transport, for
that matter).

So, while your idea is basically good, it's not practical. Daemons are
running with elevated privileges for a reason. If there's a bug within
them, fix the bug. Generic wrappers such as the one you propose are too
generic -- maintaining an overall database of allowed actions would be
a huge task, and prone to failures in itself (either rendering the system
partly unusable as some needed action was not included in the database,
or just not plugging some hole as some action that was allowed shouldn't
have been). At worst, the wrapper might even create a possibility for
a denial-of-service attack in itself.

As an example of too strict security creating a denial-of-service
situation, consider a login scheme which would lock an account for
a certain period of time if the account received some given number of
failed login attempts in some given timeframe. So, how does a cracker
keep himself good peace to work in a situation like this: easy, bomb
the administrative accounts with login attempts to make sure they keep
locked. 

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Relevant Pages

  • Re: Error code = 4060
    ... which details the local groups the app pool identity must be a member of: ... configuration database, not the content database. ... > Accounts and Passwords" introduce the account of Application pool should ...
    (microsoft.public.sharepoint.portalserver.development)
  • Problem with Creating Content Sites (Active Directory) - RTF(ine)M!!
    ... I am deploying Windows Sharepoint Services to an Active Directory ... Configuration with Remote SQL and found that I was experiencing some issues. ... Make sure that each account you use (i.e. sharepoint_admin and ... Administrators, Process Administrators, and Database Creators. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: How to disable all this security?
    ... Again, as I said in previous post, you need to know which account is ... actually ruuning the ASP.NET app under different configuration. ... on SQL server and create user to database. ...
    (microsoft.public.vsnet.general)
  • Config for OLTP system
    ... extrenal disks fo the 60GByte database server. ... IBM Informix Dynamic Server Configuration Parameters ... # BUFFSIZE - OnLine no longer supports this configuration parameter. ...
    (comp.databases.informix)
  • Re: Please! Doesnt anyone know a better way to do this?
    ... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
    (microsoft.public.dotnet.framework.aspnet)