[3250] in bugtraq
Privilege (was Re: libresolv+ bug)
daemon@ATHENA.MIT.EDU (Shaun Lowry)
Thu Aug 22 14:30:15 1996
Date: Thu, 22 Aug 1996 09:53:49 +0100
Reply-To: Shaun Lowry <s.lowry@march.co.uk>
From: Shaun Lowry <shaunl@march.co.uk>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Thomas Ptacek <tqbf@rdist.org> writes:
>You'd figure that at this point, we'd realize that one of the primary
>security issues we're dealing with is that Unix operating systems overload
>UID 0 hideously, in most cases opting to give any program that needs
>anything beyond normal user privileges full root access.
>
>Beyond that, no Unix OS I know of allows admins or programmers to reliably
>specify privileges in anything more than an "all or none" fashion
I hate to be seen to evangelise it too much, but SVR4.2 (UnixWare et al)
give you precisely this sort of fine-grained control over the privileged
actions a program can perform. It is perfectly feasible to strip the
SUID bit from all system binaries, and merely initialise their
privileges to a level that allows them to perform normally without
blanket root access. A list of the privileges an executable may have
(culled from intro(2) on a UnixWare 2.03 box) follows:
Following is a list of privileges as defined in
sys/privilege.h:
0 P_OWNER
Required to change the attributes of a file (that is,
information kept in the file's inode) that is not owned
by the effective uid of the calling process. See
``Access Permissions'' in the ``DEFINITIONS'' section
below.
1 P_AUDIT
Required to manipulate the security audit mechanisms.
2 P_COMPAT
Overrides specific restrictions that are imposed solely
for the confinement of covert channels.
3 P_DACREAD
Overrides Discretionary Access Control (DAC)
restrictions but only for operations that do not alter
objects (that is, read and execute permissions). See
``Access Permissions'' in the ``DEFINITIONS'' section
below.
4 P_DACWRITE
Overrides Discretionary Access Control restrictions but
only for operations that alter objects (that is, write
permission). See ``Access Permissions'' in the
``DEFINITIONS'' section below.
5 P_DEV
Required to set or get device security attributes to
change the device level when it is in private state, and
to access a device when it is in private state. This
privilege is also used for special ioctl for window
management and to download trusted software to a
terminal driver.
6 P_FILESYS
Required for privileged operations on a file system that
have relatively low sensitivity, including the creation
of links to directories, setting the effective root
directory, and making special files.
7 P_MACREAD
Overrides Mandatory Access Control (MAC) restrictions
but only for certain operations that do not alter
objects. See ``Access Permissions'' in the
``DEFINITIONS'' section below.
8 P_MACWRITE
Overrides Mandatory Access Control restrictions that
involve the alteration of objects or other MAC-related
attributes. See ``Access Permissions'' in the
``DEFINITIONS'' section below.
9 P_MOUNT
Mount or unmount a file system or set and get the
ceiling level of a file system.
10 P_MULTIDIR
Required for creation of multilevel directories.
11 P_SETPLEVEL
Required to change the security level of a process
(including the process's own level), subject to some
restrictions.
12 P_SETSPRIV
Administrative privilege required to set the inheritable
and fixed privileges on files. This privilege overrides
access and ownership restrictions.
13 P_SETUID
Required in order to set the real and effective user and
group IDs of a process.
14 P_SYSOPS
Required to perform several general system operations
that have only minor security implications.
15 P_SETUPRIV
Privilege required for an otherwise unprivileged process
to set the inheritable and fixed privileges on a file.
This privilege does not override access or ownership
restrictions.
16 P_DRIVER
Provides compatibility with device drivers developed by
third party vendors. It is used when a sensitive
operation needs to be limited to a privileged process.
17 P_RTIME
Required by processes that do real-time operations.
18 P_MACUPGRADE
Allows processes to upgrade (change the existing level
to a new dominating level) files.
19 P_FSYSRANGE
Override file system range restrictions.
20 P_SETFLEVEL
Required to change the security level of objects (for
block or character special files that are in the public
state only), subject to some restrictions.
21 P_AUDITWR
Required to write miscellaneous audit records to the
audit trail.
22 P_TSHAR
Required to raise the priority of a time sharing process
or to set the user priority limit to a value greater
than 0.
23 P_PLOCK
Required to lock a process in memory.
24 P_CORE
Required to dump a core image of a process that is
either privileged, setuid, or setgid. This privilege is
not required to dump the core image of a process that
does not meet the above conditions.
25 P_LOADMOD
Required to perform selective operations associated with
loadable modules.
P_ALLPRIVS
Represents all possible privileges.
So people we have an example, and IMHO a very workable one. Lets hope more
vendors see the light.
Shaun.
--
Shaun Lowry | March Systems Ltd., http://www.march.co.uk/
PGP Key available | 14 Brewery Court, High St.,
from key servers or | Theale, UK. RG7 5AJ
via e-mail on request | +44 118 930 4224
