[bind10-dev] Privileged socket creation
Shane Kerr
shane at isc.org
Thu May 27 05:56:57 UTC 2010
Jeremy,
On Wed, 2010-05-26 at 07:59 -0500, Jeremy C. Reed wrote:
> > The algorithm for the boss process will be:
> >
> > 1. Drop all permissions other than the ability to setuid(),
> > chroot(), and bind() to a specific port.
>
> How?
There is no standard way to do this, since the POSIX effort to
standardize failed for some reason. There are however a number of
proprietary ways to do this.
In Linux, with capabilities:
http://www.linux.com/learn/docs/man/2637-capabilities7
In Solaris, with privileges:
http://developers.sun.com/solaris/articles/program_privileges.html
In OpenBSD, I think this is done with an external command, so that you
never get privileges to begin with:
http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&sektion=1#PRIVILEGE+ELEVATION
The TrustedBSD folks seem to think that this sort of thing will someday
come to FreeBSD, but I didn't find any mention of it in the FreeBSD 8 or
FreeBSD 9 stuff online:
http://www.trustedbsd.org/privileges.html
Maybe GNU Hurd will get it first:
http://www.gnu.org/software/hurd/community/gsoc/project_ideas/libcap.html
> For the sandbox, who is doing the fork()? The bind10 or the
> PrivilegedSocketCreator? I can't guess because it doesn't then say child
> bind10 will exec the PrivilegedSocketCreator nor does it say that the
> first PrivilegedSocketCreator (the parent) will exit. (I think it needs
> one or the other.)
The parent process has to do the fork(), so in this case bind10 (the
boss process). The standard way to run a separate program is fork()
followed by exec(), and I don't propose we change that model. (I'm not
even sure how one would change that model...)
pid_t fork_ret = fork();
if (fork_ret == -1) {
// handle error
// return or break or goto or throw...
}
if (fork_ret == 0) {
// child process
exec(...);
// handle error
// exit
}
// parent process
> Also need to take in consideration that logging (bind10 or other
> modules other than PrivilegedSocketCreator) may be started as root
> and then may later be done as a different user. (If using syslog that is
> not a problem.)
I think we'll not do any logging in the PrivilegedSocketCreator. It's a
little extra work for the boss process, but it simplifies the other
application.
> May want to code this considering the use of SELinux, Linux or POSIX
> capabilities, or TrustedBSD extensions to allow running as non-root.
That was my intention.
> We may want to look at authbind.
> http://en.wikipedia.org/wiki/Authbind
> (even though it may not be portable, is written in C and doesn't know
> IPv6 it may have some ideas.)
That is cool. I think that is a nice system-wide solution. It only runs
on Linux sadly, and only on some distributions, so I don't think we can
count on it. Since it's GPL we can't just steal it and ship it with our
stuff either. ;)
--
Shane
More information about the bind10-dev
mailing list