[Olsr-dev] privilege separation for olsrd
Ferry Huberts
(spam-protected)
Thu Oct 4 08:10:06 CEST 2012
On 04-10-12 00:32, Henning Rogge wrote:
> I would also like to continue the discussion...
>
> Routing setup and socket creation are the main operations that need
> root... and I think routing setup needs always root, not only when we
> create the netlink socket.
>
> On Wed, Oct 3, 2012 at 9:37 PM, Hans-Christoph Steiner
> <(spam-protected)> wrote:
>>
>> Makes sense to me. I'm going to focus on the gcc hardening flags for
>> now, and get them incorporated into the Debian package. Then I think we
>> should consider adding them to the relevant Makefiles in olsrd.
>
> Good idea...
>
> if there are any bugs when we run with -O2, just post them here...
> should be trivial to fix.
>
we have been running with -O2 for a long time now and have not
encountered any issue (that we know of)
> The new framework already compiles on -Os and -O2/-O3, so it should be
> easy to move this code to "hardened".
>
> Henning
>
>> For something like OpenWRT, I don't think the hardening is so important
>> since an OpenWRT mesh node is very unlikely to contain other data on
>> them. For olsrd running on people's laptops and phones, then it makes
>> it a much more appealing target.
>>
>> .hc
>>
>> On 10/03/2012 02:54 PM, Ferry Huberts wrote:
>>> I discussed all of this with Henning on multiple occasions and we always
>>> came to the conclusion that (to us) it's not worth the effort for olsrd v1.
>>>
>>> For olsrd v2 we maybe want to have it but the focus is on getting things
>>> up and running.
>>>
>>> That said, if anyone wants to implement it then they're welcome to do
>>> so. Just be warned that it has to be on a branch (since it's a major
>>> change) and that it will be closely scrutinised once proposed for merging.
>>>
>>> On 03-10-12 19:47, Roar Bjørgum Rotvik wrote:
>>>> On 10/03/2012 06:07 PM, Hans-Christoph Steiner wrote:
>>>>>
>>>>> I was just poking around OpenSSH for ideas for how olsrd could be a lot
>>>>> more secure. The main issue right now is that olsrd does everything as
>>>>> root, even though it only needs root privileges for specific things
>>>>> (opening the socket on port 698 and editing the routing table).
>>>>>
>>>>> OpenSSH is a daemon that needs privileges for opening a socket on port
>>>>> 22, but then it does very little else as root. It does this without
>>>>> using threads, but relies on multiple processes instead. Here's two
>>>>> overviews of how openssh does it:
>>>>>
>>>>> http://www.citi.umich.edu/u/provos/ssh/privsep.html
>>>>> http://www.openbsd.org/papers/openssh-measures-asiabsdcon2007-slides.pdf
>>>>
>>>> I understand that my suggestion is Linux-only, but what about posix
>>>> capabilites?
>>>>
>>>> http://www.linux-tutorial.info/modules.php?name=ManPage&sec=7&manpage=capabilities
>>>>
>>>> http://www.friedhoff.org/posixfilecaps.html
>>>> (and many other sites)
>>>>
>>>> Capabilites divides root power in smaller pieces. For olsrd, it may work
>>>> to let olsrd drop all caps without CAP_NET_BIND_SERVICE/CAP_NET_ADMIN
>>>> (needed for priviledged network operations like take interface up/down,
>>>> I think this also work for netlink sockets). Or set caps in file
>>>> attribute in the filesystem.
>>>>
>>>> But as I said, don't know if/how this is supported on other platforms.
>>>>
>>>> Regards,
>>>> Roar Bjørgum Rotvik
>>>>
>>>>
>>>
>>
>> --
>> Olsr-dev mailing list
>> (spam-protected)
>> https://lists.olsr.org/mailman/listinfo/olsr-dev
>
>
>
--
Ferry Huberts
More information about the Olsr-dev
mailing list