cs161 2004 Lecture 18: Minimizing Privileges / Isolation

unix privileges intro
 user, group, any
 rwx (file / dircetory)
 root vs. normal for many random functions

setuid, single purpose programs
 setuid bit - be careful!
 setuid(), setreuid(), seteuid() - drop privs temporarily
  effective
  real
  saved

setgid
 limit the damage to related files
 limit access to certain devices

sidebar: dynamic group membership doesn't work
 some system put you in a special "console" group
 just make a setgid program
 in other words, there is a revocation problem

privilege separation
 use a privileged parent

resource limits
 current / upper
 resources
  memory
  fds
  total cpu
  locks
  processes
 not really a way to stop bad guys

chroot
 hard to manage
  dynamic libraries
  /etc/passwd
 escapable (chroot, "..", fchdir)
 frankly, poorly motivated
  mostly ftpd, compensated for "any" vs "world"
  root can still do nasty things with raw devices, kernel mem
  maybe it was easy to implement?

jail
 a better chroot
 applies to process view (signals, IPC)
 networking (specific IP addr)
 some privs disabled (raw net access, create device)

securelevel - it would be nice if rebooting fixed everything
 when securelvel is raised, even root can't:
  unset certain file flags, (system immutable, append only)
  write to kernel memory via /dev/mem and /dev/kmem
  load kernel modules
  mount raw devices rw
  alter ipfirewall(4) rules.
 securelevel can not be lowered!
 good idea?  (you have to protect everything before securelevel is raised,
              is reboot protected?)


capabilities - started in 2.1, still not readily available
 divvy up root
  open a low port
  pin a memory page
  real-time scheduling
  raw scsi command (control other devices too)
  load a module
 securelevel functionality by a set of global caps
 three kinds of caps on procs
  inheritable
  effective
  permitted
 three kinds on binaries (conceptually)
  allowed
  forced
  effective (sieve on parent's effective mask. it's for dumb processes,
             since smart ones can use permitted caps)
 problems
  how to assign caps to binaries? 
  much more complicated
 need a new api
  legacy checks are wrong
  apps need to drop new privs


lsm
 put hooks everywhere
 restrive, not authoratative
 why not good for auditing?
  (may not get called, if previous check ok's the access)

selinux
 instance of lsm
 mandatory access control
 creating the security policy is hard