Re: Security issue? Daemon users has to much rights...

[Duncan Simpson <duncan@commercialuk.com>]

On Sun, 2004-10-24 at 15:30, Michael Stone wrote:
> On Sun, Oct 24, 2004 at 10:54:28AM +0200, Jan Lühr wrote:
> >What do you expect here? Of course there is a tradional unix approach (groups 
> >-ugly one I admit - and a more clean approach using posix  acls)
>

I think groups might be enough here. Just remember group access does not
have be more than other access. I could create a gorup called nobin and
do something like

# chgrp nobin /bin
# chmod 705 /bin
# chgrp nobin /usr/sbin/some_daemon
# chmod g+s /usr/sbin/some_daemon

After this, unless the daemon runs as root, when shell code tries to
execute /bin/sh it fails due to lack of search permission on /bin. You
coulld apply similar moves to individual binaries if you prefer. The
magic here is that the setgid access us *less* thgan you normally have.
You can probably limit access by setuid to a special user too.

POSIX acl's would allow you to do more in this line before you needed a
wrapper program (which could set several access reducing groups, chroot,
etc). SElinux gets you even further from what I have heard but make it
easy to shoot yourself in the foot.

(This sort of thing is often deemed "too much work" on vanilla systems,
especially ones protected by tight firewalls.)