Firewall Wizards mailing list archives
Re: Securing FreeBSD 2.1.7.1
From: marc () sniff ct-net de
Date: Wed, 18 Feb 1998 20:52:25 +0000 (GMT)
Hello!
nuqneH,
(klingonase? ;-)
I am thinking on "hardening" FreeBSD 2.1.7.1 system to run a firewall on top of it.. by implementing "securelevel 3" with some system calls disabled/wrapped - like mount, mknod.. what else? Any ideas?
After some work integrating chroot() and setuid(nonroot) into sendmail, bind, [...] to secure my server a little bit I had to realize that hardening pop3 and ftp means to rewrite the existing code (qualcomm's popper and Wietse Venema's ftpd). Because these programs have to run as root for some time, chroot() isn't really a security win. You have to split the code into an authentication part and the part which does the real job, linked by a small change-uid program. (well, this is at least one way to deal with the problem). *sigh* The idea? Special privileges for some UID's. Imagine UID's able to change the uid to a value above some threshold but not down to zero/root. Perfect to run popper or ftpd in a secured manner. Or UID's able to bind to port 80 but nothing else, so the httpd is not able to set up outgoing connections by a CGI running wild. (o.k, I would not put apache/whatever on a firewall at all ;-) So one could run even very complex software without compromising the whole system (and the software will fail someday, right?). Maybe using the bits of a UID as on/off switches for this privileges coud be a simple way to store the informations? (I have to admit, I am not a CS/kernel expert.) Regards, Marc -- Marc Binderberger 97076 Wuerzburg, Germany marc () sniff ct-net de Powered by FreeBSD ;-)
Current thread:
- Securing FreeBSD 2.1.7.1 -= ArkanoiD =- (Feb 18)
- Re: Securing FreeBSD 2.1.7.1 Rudolf Schreiner (Feb 18)
- Re: Securing FreeBSD 2.1.7.1 marc (Feb 18)
- <Possible follow-ups>
- Securing FreeBSD 2.1.7.1 tqbf (Feb 18)