James Walden wrote:
Ulf Lamping wrote:
Having looked at the web about Privilege Seperation at all, didn't
found good resources on the web, does someone has a good tip?
>
However, as far as I understand it, it's about split a program into
parts which then will run at the lowest privilege they need to do the
task they have to, but not more.
Yes, privilege separation is essentially just a way of following the
Principle of Least Privilege by dividing the application into parts,
each of which has limited privileges to perform only the required
functions of that component.
The best references I've found are those on privilege-separated
openssh. You can find details, including a link to a PDF of Provos'
2003 USENIX paper at
http://www.citi.umich.edu/u/provos/ssh/privsep.html
Wietse Venema's postfix mail server was also designed using the idea
of privilege separation. You can find an architecture overview at
http://www.postfix.org/OVERVIEW.html
Here are a couple more online references on privilege separation:
http://www.rstack.org/oudot/rmll/slides/8/privsep-en.pdf
http://www.ece.cmu.edu/~dawnsong/papers/privtrans.pdf
I will have a look a those documents...
When looking at Ethereal about this topic, I think about two main parts:
- live capturing from the network (usually requires root privileges)
and put that data on the harddisk. As the capturing code amount is
limited, this code could be reviewed with safety in mind, so it
should be possible to make it "bullet proof " (well, you will never
have 100% safe code)
- decoding of protocols, showing them on the screen and all the other
GUI related things (requires only user privileges, like open files
and such). As the dissection is spreaded about a lot of code,
provided and maintained by a lot of different persons, it might be
nearly impossible to get really bullet proof code from this (of
course, trying to achieve security is always a good idea anyway).
So this indicates, that we should split the capturing of data from
dissecting and showing it.
I agree that those are the essential two cases, separating root
privileges from user privileges, but I think Devin's idea of an
additional separation of user file privileges from the protocol
dissection part of ethereal, which doesn't need to touch files itself,
is also good, as it would prevent malicious packets from trashing the
running user's files or subverting his account.
Well, I do agree on Devin's idea for the reasons already explained.
But, what I always search for is getting the most benefit from the least
effort (yes, I'm usually working on win32 :-). Separating the capturing
engine from the rest shouldn't be too hard to achieve, I already have an
idea about how to do that (will outline that in another mail) and this
will get the most security benefit I would think.
Seperating the dissection engine from the rest of the Ethereal code will
be possible, of course. But that will be a lot of work IMHO (I don't
have an idea how to do, and to be honest don't even want to know for
now), but that solution wouldn't get the security boost compared to the
solution I've outlined.
It's just about judging the effort to do and the benefit getting from
it. I'm just talking about what I'm able (and maybe going) to implement.
Of course, I would be happy if someone assist me on this topic.
Regards, ULFL
