Subject: Re: Miscellaneous OS features: capabilities
To: None <current-users@NetBSD.org>
From: Charles Blundell <cb@kittenz.org>
List: current-users
Date: 08/11/2003 10:32:09
on Mon, Aug 11, 2003 at 01:02:46AM -0500, David Young wrote:
> On Mon, Aug 11, 2003 at 04:15:05AM +0000, Nate Hill wrote:
> > On Mon August 11 2003 02:14, David Young wrote:
> > > On Fri, Aug 08, 2003 at 07:39:22AM -0400, Sporleder, Matthew wrote:
> > > > Speaking of de-rooting-
> > > > Could you just add a /dev/ports/ directory or something along
> > > > those lines to then chown specific ports to any user you wanted:
> > > > <daemon>d, for example?

With systrace, you can control a processes network access mainly
at two points: the socket() call, and connect()/bind()/listen().
If you use systrace's privilege escalation ability, you can run
the process at some lower privilege, but still allow access to
specific privileged syscalls, such as binding to low ports.

e.g. in the systrace policy:
netbsd-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
netbsd-bind: sockaddr eq "inet-[0.0.0.0]:80" then permit as root
netbsd-listen: permit
...
netbsd-fsread: filename match "/www/*" then permit

This requires systrace to keep root privileges, but the tracee does
not.  You can accomplish this with systrace -t loweruid program.

> > >   Take it a step further. Grant the daemon *process* only the
> > > privileges it needs, using the imaginary "cap" command.
> > >
> > > CAP(1)                       NetBSD Reference Manual               
> > >      CAP(1)
> > >
> > > NAME
> > >      cap - an imaginary program which runs a command with
> > > restricted privileges
> > >
> > 
> > This could be done quite easily. A nice front-end to a set-uid 
> > systrace is needed.
> 
>   No doubt, but it is not a little backward to use a set-uid program to
>   run a command with least privileges? =)

This is only if you wish to give process privileges that they would
otherwise not have, e.g., starting a process when non-root but
wanting to use privileged ports. For most stuff, it is started when
the current user is root anyhow, so I guess you would not need such
a set-id helper.

If you run a systrace'd system, options IPNOPRIVPORTS may be
useful too..