[Olsr-dev] privilege separation for olsrd

[Ferry Huberts]

I discussed all of this with Henning on multiple occasions and we always 
came to the conclusion that (to us) it's not worth the effort for olsrd v1.

For olsrd v2 we maybe want to have it but the focus is on getting things 
up and running.

That said, if anyone wants to implement it then they're welcome to do 
so. Just be warned that it has to be on a branch (since it's a major 
change) and that it will be closely scrutinised once proposed for merging.

On 03-10-12 19:47, Roar Bjørgum Rotvik wrote:
> On 10/03/2012 06:07 PM, Hans-Christoph Steiner wrote:
>>
>> I was just poking around OpenSSH for ideas for how olsrd could be a lot
>> more secure.  The main issue right now is that olsrd does everything as
>> root, even though it only needs root privileges for specific things
>> (opening the socket on port 698 and editing the routing table).
>>
>> OpenSSH is a daemon that needs privileges for opening a socket on port
>> 22, but then it does very little else as root.  It does this without
>> using threads, but relies on multiple processes instead.  Here's two
>> overviews of how openssh does it:
>>
>> http://www.citi.umich.edu/u/provos/ssh/privsep.html
>> http://www.openbsd.org/papers/openssh-measures-asiabsdcon2007-slides.pdf
>
> I understand that my suggestion is Linux-only, but what about posix
> capabilites?
>
> http://www.linux-tutorial.info/modules.php?name=ManPage&sec=7&manpage=capabilities
> http://www.friedhoff.org/posixfilecaps.html
> (and many other sites)
>
> Capabilites divides root power in smaller pieces. For olsrd, it may work
> to let olsrd drop all caps without CAP_NET_BIND_SERVICE/CAP_NET_ADMIN
> (needed for priviledged network operations like take interface up/down,
> I think this also work for netlink sockets). Or set caps in file
> attribute in the filesystem.
>
> But as I said, don't know if/how this is supported on other platforms.
>
> Regards,
> Roar Bjørgum Rotvik
>
>

-- 
Ferry Huberts