[Olsr-dev] privilege separation for olsrd
Roar Bjørgum Rotvik
(spam-protected)
Wed Oct 3 19:47:33 CEST 2012
On 10/03/2012 06:07 PM, Hans-Christoph Steiner wrote:
>
> I was just poking around OpenSSH for ideas for how olsrd could be a lot
> more secure. The main issue right now is that olsrd does everything as
> root, even though it only needs root privileges for specific things
> (opening the socket on port 698 and editing the routing table).
>
> OpenSSH is a daemon that needs privileges for opening a socket on port
> 22, but then it does very little else as root. It does this without
> using threads, but relies on multiple processes instead. Here's two
> overviews of how openssh does it:
>
> http://www.citi.umich.edu/u/provos/ssh/privsep.html
> http://www.openbsd.org/papers/openssh-measures-asiabsdcon2007-slides.pdf
I understand that my suggestion is Linux-only, but what about posix
capabilites?
http://www.linux-tutorial.info/modules.php?name=ManPage&sec=7&manpage=capabilities
http://www.friedhoff.org/posixfilecaps.html
(and many other sites)
Capabilites divides root power in smaller pieces. For olsrd, it may work
to let olsrd drop all caps without CAP_NET_BIND_SERVICE/CAP_NET_ADMIN
(needed for priviledged network operations like take interface up/down,
I think this also work for netlink sockets). Or set caps in file
attribute in the filesystem.
But as I said, don't know if/how this is supported on other platforms.
Regards,
Roar Bjørgum Rotvik
More information about the Olsr-dev
mailing list