[Olsr-dev] privilege separation for olsrd

Hans-Christoph Steiner (spam-protected)
Wed Oct 3 19:56:24 CEST 2012


One sshd process always has root, but what that process can do is
limited, then the rest is delegated to non-privileged processes that run
in a chroot.

olsrd needs root for netlink.  It does not need root for the txtinfo,
httpinfo, jsoninfo, etc. sockets or anything that those plugins do.  It
also doesn't need root for filesystem access.

Since olsrd is rarely built with any hardening at all, this means that
someone can exploit the OLSR port or any of the plugin ports and get
root privileges.  The hardening helps, but its only one piece of the puzzle.

.hc

On 10/03/2012 12:50 PM, Ferry Huberts wrote:
> openssh doesn't use a netlink socket.
> 
> if you can get that to work without being root, then we can have priv sep.
> 
> On 03-10-12 18:07, Hans-Christoph Steiner wrote:
>>
>> I was just poking around OpenSSH for ideas for how olsrd could be a lot
>> more secure.  The main issue right now is that olsrd does everything as
>> root, even though it only needs root privileges for specific things
>> (opening the socket on port 698 and editing the routing table).
>>
>> OpenSSH is a daemon that needs privileges for opening a socket on port
>> 22, but then it does very little else as root.  It does this without
>> using threads, but relies on multiple processes instead.  Here's two
>> overviews of how openssh does it:
>>
>> http://www.citi.umich.edu/u/provos/ssh/privsep.html
>> http://www.openbsd.org/papers/openssh-measures-asiabsdcon2007-slides.pdf
>>
>> .hc
>>
> 




More information about the Olsr-dev mailing list