Bugtraq mailing list archives
Privilege (was Re: libresolv+ bug)
From: shaunl () MARCH CO UK (Shaun Lowry)
Date: Thu, 22 Aug 1996 09:53:49 +0100
Thomas Ptacek <tqbf () rdist org> writes:
You'd figure that at this point, we'd realize that one of the primary security issues we're dealing with is that Unix operating systems overload UID 0 hideously, in most cases opting to give any program that needs anything beyond normal user privileges full root access. Beyond that, no Unix OS I know of allows admins or programmers to reliably specify privileges in anything more than an "all or none" fashion
I hate to be seen to evangelise it too much, but SVR4.2 (UnixWare et al) give you precisely this sort of fine-grained control over the privileged actions a program can perform. It is perfectly feasible to strip the SUID bit from all system binaries, and merely initialise their privileges to a level that allows them to perform normally without blanket root access. A list of the privileges an executable may have (culled from intro(2) on a UnixWare 2.03 box) follows: Following is a list of privileges as defined in sys/privilege.h: 0 P_OWNER Required to change the attributes of a file (that is, information kept in the file's inode) that is not owned by the effective uid of the calling process. See ``Access Permissions'' in the ``DEFINITIONS'' section below. 1 P_AUDIT Required to manipulate the security audit mechanisms. 2 P_COMPAT Overrides specific restrictions that are imposed solely for the confinement of covert channels. 3 P_DACREAD Overrides Discretionary Access Control (DAC) restrictions but only for operations that do not alter objects (that is, read and execute permissions). See ``Access Permissions'' in the ``DEFINITIONS'' section below. 4 P_DACWRITE Overrides Discretionary Access Control restrictions but only for operations that alter objects (that is, write permission). See ``Access Permissions'' in the ``DEFINITIONS'' section below. 5 P_DEV Required to set or get device security attributes to change the device level when it is in private state, and to access a device when it is in private state. This privilege is also used for special ioctl for window management and to download trusted software to a terminal driver. 6 P_FILESYS Required for privileged operations on a file system that have relatively low sensitivity, including the creation of links to directories, setting the effective root directory, and making special files. 7 P_MACREAD Overrides Mandatory Access Control (MAC) restrictions but only for certain operations that do not alter objects. See ``Access Permissions'' in the ``DEFINITIONS'' section below. 8 P_MACWRITE Overrides Mandatory Access Control restrictions that involve the alteration of objects or other MAC-related attributes. See ``Access Permissions'' in the ``DEFINITIONS'' section below. 9 P_MOUNT Mount or unmount a file system or set and get the ceiling level of a file system. 10 P_MULTIDIR Required for creation of multilevel directories. 11 P_SETPLEVEL Required to change the security level of a process (including the process's own level), subject to some restrictions. 12 P_SETSPRIV Administrative privilege required to set the inheritable and fixed privileges on files. This privilege overrides access and ownership restrictions. 13 P_SETUID Required in order to set the real and effective user and group IDs of a process. 14 P_SYSOPS Required to perform several general system operations that have only minor security implications. 15 P_SETUPRIV Privilege required for an otherwise unprivileged process to set the inheritable and fixed privileges on a file. This privilege does not override access or ownership restrictions. 16 P_DRIVER Provides compatibility with device drivers developed by third party vendors. It is used when a sensitive operation needs to be limited to a privileged process. 17 P_RTIME Required by processes that do real-time operations. 18 P_MACUPGRADE Allows processes to upgrade (change the existing level to a new dominating level) files. 19 P_FSYSRANGE Override file system range restrictions. 20 P_SETFLEVEL Required to change the security level of objects (for block or character special files that are in the public state only), subject to some restrictions. 21 P_AUDITWR Required to write miscellaneous audit records to the audit trail. 22 P_TSHAR Required to raise the priority of a time sharing process or to set the user priority limit to a value greater than 0. 23 P_PLOCK Required to lock a process in memory. 24 P_CORE Required to dump a core image of a process that is either privileged, setuid, or setgid. This privilege is not required to dump the core image of a process that does not meet the above conditions. 25 P_LOADMOD Required to perform selective operations associated with loadable modules. P_ALLPRIVS Represents all possible privileges. So people we have an example, and IMHO a very workable one. Lets hope more vendors see the light. Shaun. -- Shaun Lowry | March Systems Ltd., http://www.march.co.uk/ PGP Key available | 14 Brewery Court, High St., from key servers or | Theale, UK. RG7 5AJ via e-mail on request | +44 118 930 4224
Current thread:
- Privilege (was Re: libresolv+ bug) Shaun Lowry (Aug 22)
- <Possible follow-ups>
- Re: Privilege (was Re: libresolv+ bug) Paul McNabb (Aug 22)