Re: Ports and privileges

[mcnabb () argus-systems com (Paul McNabb)]

>  From: tqbf () secnet com
>  Date: Tue, 24 Feb 1998 19:00:50 -0600 (CST)
>  
>  > The separation of "root" into multiple small privileges is exactly
>  > what is done on many of the trusted operating systems.  When using
>  > one of these systems as your webserver or firewall base, you avoid
>  > many of the problems experienced with less secure operating systems.
>  
>  Of course, this only works with a kernel audit; many of the privileges
>  that are currently guarded with, say, suser() in 4.4BSD, are equivalent to
>  root, and not always in obvious ways. 
>  
>  Not that dividing up root is a bad thing (quite the opposite!), just that
>  it's trickier than it seems to do it with maximal effectiveness.

The way I've seen it done on several different systems is that everywhere
in the kernel where there is a call to suser(), plus in new places that
never did any kind of check before, you replace suser() with a new call
that passes in some kind of flag indicating what privilege is required
at this point.  The newsuser() routine verifies that the process has
the required privilege, but doesn't use the UID in the check.  Some
systems actually use a mix of UID and other attributes in making the
decision.  Yes, this does require a thorough kernel audit and a lot of
expertise to make sure that the changes are really consistent and do
not allow anyone to "sneak around the back fence" to use an apparently
benign privilege to do something really nasty.  These are issues that
are addressed in the government certification processes.

paul

---------------------------------------------------------
Paul McNabb                     Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------