[Olsr-dev] privilege separation for olsrd

Roar Bjørgum Rotvik (spam-protected)
Wed Oct 3 19:47:33 CEST 2012

On 10/03/2012 06:07 PM, Hans-Christoph Steiner wrote:
> I was just poking around OpenSSH for ideas for how olsrd could be a lot
> more secure.  The main issue right now is that olsrd does everything as
> root, even though it only needs root privileges for specific things
> (opening the socket on port 698 and editing the routing table).
> OpenSSH is a daemon that needs privileges for opening a socket on port
> 22, but then it does very little else as root.  It does this without
> using threads, but relies on multiple processes instead.  Here's two
> overviews of how openssh does it:
> http://www.citi.umich.edu/u/provos/ssh/privsep.html
> http://www.openbsd.org/papers/openssh-measures-asiabsdcon2007-slides.pdf

I understand that my suggestion is Linux-only, but what about posix

(and many other sites)

Capabilites divides root power in smaller pieces. For olsrd, it may work
to let olsrd drop all caps without CAP_NET_BIND_SERVICE/CAP_NET_ADMIN
(needed for priviledged network operations like take interface up/down,
I think this also work for netlink sockets). Or set caps in file
attribute in the filesystem.

But as I said, don't know if/how this is supported on other platforms.

Roar Bjørgum Rotvik

More information about the Olsr-dev mailing list