From: Simon L. N. <si...@ni...> - 2003-04-19 12:44:09
|
On 2003.04.19 13:42:29 +0200, clemens fischer wrote: > "Simon L. Nielsen" <si...@ni...>: >=20 > > They way I read the samples / documentaion it is used with the > > setuid bit still on the programs. Wouldn't it be a bit more secure > > (e.g. when cerber is not running) to remove the setuid bit from the > > program and then use CerberNG to grant the additional needed > > privileged (e.g. raw sockets for ping)? >=20 > what do you mean "when cerber is not running"? then nothing special When cerber is not loaded in the kernel for whatever reason. E.g. during an upgrade or due to a failure in cerber (AFAIR it unloads it self on failure at the moment). > is going to happen and you need SUID (if your setup needs it). Exactly then the program will have full root permissions and since I'm a paranoid admin I would prefer that the suid programs in question just fail instead of potentially being able to to nasty things. This is of course mainly for non esential programs such as ping and traceroute since it could cause problems in the case of e.g. su. > cerber, if present, get's to examine the exec(2) before any program > is run and _downgrades_ permissions if so defined in the policy. i'm > not sure if you want a mix of programs downgraded, upgraded or left > alone instead of just downgrading (or leaving alone). also, I prefer to upgrade permissions in all the cases where it is possible due to principle of least privileges. > programmers don't know beforehand that cerber is installed, and they > shouldn't be required to. No but the sysadmin can know this and remove setuid from the programs and make a cerber policy to give access. > > I think CerberNG looks very interesting and rather simple to use > > compared to MAC which I still can't figure out how to use :) >=20 > what is MAC here? Mandatory Access Control a security framework in FreeBSD 5. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html --=20 Simon L. Nielsen |