Subject: Re: secure, limited, privilege escalation (was: What's in my swap)
To: Geert Hendrickx <ghen@NetBSD.org>
From: Greg A. Woods <woods@weird.com>
List: current-users
Date: 08/03/2006 16:12:41
--pgp-sign-Multipart_Thu_Aug__3_16:12:38_2006-1
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

At Wed, 2 Aug 2006 14:42:47 +0200,
Geert Hendrickx wrote:
>=20
> On Wed, Aug 02, 2006 at 02:39:01PM +0200, Johnny Billquist wrote:
> > Well, what did you expect when you added them to the operator group?  T=
he
> > operator have read access to the raw devices. Security "risk"? You bet!
> > An operator can read anything on a disk. They need to, in order to make=
 a
> > backup!
>=20
> Then I think either:=20
>=20
> - an exception should be made for *b devices, as swap is never backed up

Note that there's no rule that says /dev/*b devices are the only ones to
be used for swap -- that's just a (very) loose convention.

Also note that if a user in the operator group can read a raw disk then
that user can just as easily read any root-only file on any disk too
(e.g. /etc/master.passwd), and so giving users "operator" privs is
already leaning towards giving them nearly full access to the system
anyway.  The "operator" group is really only useful to prevent
fat-fingered mistakes and to provide very limited forms of audit control
in relatively trustworthy environments for "who done it" purposes
(i.e. after-the-fact auditing, assuming the audit trail is somehow even
more secure, which it likely won't be).


> - we should create separate groups to implement shutdown(8) and backup
>   privileges. =20

That's not so easy as it might seem.

Perhaps it would be better (though maybe not easier) to create carefully
crafted setuid utilities that can properly authenticate specified users
and offer them only very carefully limited commands.

See, for example, the following paper and web site:

	http://nob.cs.ucdavis.edu/bishop/secprog/1987-sproglogin.pdf

	http://nob.cs.ucdavis.edu/bishop/secprog/

--=20
						Greg A. Woods

H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>       Secrets of the Weird <woods@weird.com>

--pgp-sign-Multipart_Thu_Aug__3_16:12:38_2006-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: qOs6YxImUaK7twDVwHi74xy6jCn4yEIW

iQA/AwUBRNJYuGJ7XxTCWceFEQJUvACeMgv4sE2iONLMT5HWjhRRiwlMbn8AoJRe
zzcaunOmeUhkaLTcx/bcvL/I
=Z6Mk
-----END PGP SIGNATURE-----

--pgp-sign-Multipart_Thu_Aug__3_16:12:38_2006-1--