Re: setuid for priv sockets?
Re: setuid for priv sockets?
- Subject: Re: setuid for priv sockets?
- From: Brian Mastenbrook <email@hidden>
- Date: Thu, 30 Oct 2008 18:09:13 -0500
On Oct 30, 2008, at 2:41 PM, Terry Lambert wrote:
For capabilities based security models, all the capabilities that
will ever be available to the OS are created when the OS is
started. The problem with this approach is that it ignores the
ability to enter and leave security associations, or otherwise find
some way to escalate privilege beyond what you start with; on top of
that, you have the problem of initialization. For a capabilities
based OS like EROS, this last one is side stepped by creating the OS
image instance with the instances preinitialized. But even so, the
model is a non-starter. Any time you join or leave a security
association, you must by definition engage in privilege escalation
and deescalation, or talk to a gatekeeper with the capability you
want to inherit, and which is therefore an attack surface. Even if
you solved that, you still have the problem of peer recognition,
and, up the chain of trust, that the person telling you to recognize
a peer is a person authorized to do so, etc..
I am somewhat confused by what you are saying, as my prior exposure to
the capabilities model is within the context of the actors model (for
example, as implemented in E) where it definitely is possible to
create a capability after the system is started. This is probably a
bit of a tangent for darwin-dev; I'd be happy to discuss further over
private mail.
Ironically, your straw man of privileged ports that you are putting
forward in this thread in order to argue this point was an attempt
at increasing the granularity of the UNIX security model. The idea
was that you escalated privilege as a result of install time rights
settings, obtained your privileged port, then dropped privilege.
The premise behind this is that machines were so expensive that only
trusted parties could afford to buy them, and therefore it was OK to
let root on one machine vouchsafe an identity to root on another
machine.
I would argue that at this point, I could impersonate any machine at
the wire traffic level using cheap hardware, and illicit network
connectivity is so easy to obtain, that the use of privileged ports
is largely useless, outside the computer equivalent of gated
communities.
I don't disagree with any of this. The reason I brought up privileged
ports is that this is one of the examples given in
BetterAuthorizationSample, and despite the complicated attempt to
provide only the ability to open up certain ports to the requesting
process, the ability to do anything which requires admin privileges is
provided to any process which is running as the requesting process's
user.
--
Brian Mastenbrook
email@hidden
http://brian.mastenbrook.net/
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden