[Olsr-dev] privilege separation for olsrd

Hans-Christoph Steiner (spam-protected)
Wed Oct 3 21:37:04 CEST 2012 

Makes sense to me. I'm going to focus on the gcc hardening flags for
now, and get them incorporated into the Debian package.  Then I think we
should consider adding them to the relevant Makefiles in olsrd.

For something like OpenWRT, I don't think the hardening is so important
since an OpenWRT mesh node is very unlikely to contain other data on
them.  For olsrd running on people's laptops and phones, then it makes
it a much more appealing target.

.hc

On 10/03/2012 02:54 PM, Ferry Huberts wrote:
> I discussed all of this with Henning on multiple occasions and we always
> came to the conclusion that (to us) it's not worth the effort for olsrd v1.
> 
> For olsrd v2 we maybe want to have it but the focus is on getting things
> up and running.
> 
> That said, if anyone wants to implement it then they're welcome to do
> so. Just be warned that it has to be on a branch (since it's a major
> change) and that it will be closely scrutinised once proposed for merging.
> 
> On 03-10-12 19:47, Roar Bjørgum Rotvik wrote:
>> On 10/03/2012 06:07 PM, Hans-Christoph Steiner wrote:
>>>
>>> I was just poking around OpenSSH for ideas for how olsrd could be a lot
>>> more secure.  The main issue right now is that olsrd does everything as
>>> root, even though it only needs root privileges for specific things
>>> (opening the socket on port 698 and editing the routing table).
>>>
>>> OpenSSH is a daemon that needs privileges for opening a socket on port
>>> 22, but then it does very little else as root.  It does this without
>>> using threads, but relies on multiple processes instead.  Here's two
>>> overviews of how openssh does it:
>>>
>>> http://www.citi.umich.edu/u/provos/ssh/privsep.html
>>> http://www.openbsd.org/papers/openssh-measures-asiabsdcon2007-slides.pdf
>>
>> I understand that my suggestion is Linux-only, but what about posix
>> capabilites?
>>
>> http://www.linux-tutorial.info/modules.php?name=ManPage&sec=7&manpage=capabilities
>>
>> http://www.friedhoff.org/posixfilecaps.html
>> (and many other sites)
>>
>> Capabilites divides root power in smaller pieces. For olsrd, it may work
>> to let olsrd drop all caps without CAP_NET_BIND_SERVICE/CAP_NET_ADMIN
>> (needed for priviledged network operations like take interface up/down,
>> I think this also work for netlink sockets). Or set caps in file
>> attribute in the filesystem.
>>
>> But as I said, don't know if/how this is supported on other platforms.
>>
>> Regards,
>> Roar Bjørgum Rotvik
>>
>>
>

More information about the Olsr-dev mailing list