Darren Reed wrote:
> Will Young wrote:
>
>> Based on the description of the desired granularity I think the
>> typical model of using PRIV_SYS_NET_CONFIG (and/or PRIV_SYS_IP_CONFIG)
>> then modifying commands such as ipf to check more specific
>> authorizations works.
>>
>
> I must confess that I'm feeling quite alarmed at how many different
> actions are falling under PRIV_SYS_NET_CONFIG. It's like
> anyone with that privilege is the "network superuser", which kind
> of scares me. Which is why I'm asking "where are privileges going?"
> Does that one privilege really need to be reused amongst so many
> different programs/features?
>
While there is a general sentiment of the finer grain the better, I
think our first priority is the limiting running with any elevated
privileges. If this is done correctly there is no literal "network
superuser" in that users are given the privilege only when it is
constrained by specific commands which can enforce more complex rules
than the kernel privilege model.
Finer grain privileges would mean there is less to attack if one
escapes the constraints of specific commands, but this is of less
benefit then it sounds like unless the privileges are carefully
considered. I.e. a division by technologies gives a firewall privilege,
a tunnel privilege, an IPsec policy privilege, and an interface change
privilege that can each individually do different forms of traffic
redirection attacks. Yet a site may be inclined to assign one of these
privileges directly to a user as they sound much safer.
-Will
> Darren
>
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris.org
>
