Ulf Lamping wrote:
Having looked at the web about Privilege Seperation at all, didn't found
good resources on the web, does someone has a good tip?
>
However, as far as I understand it, it's about split a program into
parts which then will run at the lowest privilege they need to do the
task they have to, but not more.
Yes, privilege separation is essentially just a way of following the Principle
of Least Privilege by dividing the application into parts, each of which has
limited privileges to perform only the required functions of that component.
The best references I've found are those on privilege-separated openssh. You
can find details, including a link to a PDF of Provos' 2003 USENIX paper at
http://www.citi.umich.edu/u/provos/ssh/privsep.html
Wietse Venema's postfix mail server was also designed using the idea of
privilege separation. You can find an architecture overview at
http://www.postfix.org/OVERVIEW.html
Here are a couple more online references on privilege separation:
http://www.rstack.org/oudot/rmll/slides/8/privsep-en.pdf
http://www.ece.cmu.edu/~dawnsong/papers/privtrans.pdf
When looking at Ethereal about this topic, I think about two main parts:
- live capturing from the network (usually requires root privileges) and
put that data on the harddisk. As the capturing code amount is limited,
this code could be reviewed with safety in mind, so it should be
possible to make it "bullet proof " (well, you will never have 100% safe
code)
- decoding of protocols, showing them on the screen and all the other
GUI related things (requires only user privileges, like open files and
such). As the dissection is spreaded about a lot of code, provided and
maintained by a lot of different persons, it might be nearly impossible
to get really bullet proof code from this (of course, trying to achieve
security is always a good idea anyway).
So this indicates, that we should split the capturing of data from
dissecting and showing it.
I agree that those are the essential two cases, separating root privileges from
user privileges, but I think Devin's idea of an additional separation of user
file privileges from the protocol dissection part of ethereal, which doesn't
need to touch files itself, is also good, as it would prevent malicious packets
from trashing the running user's files or subverting his account.
--
James Walden, Ph.D.
Visiting Assistant Professor of EECS
The University of Toledo
http://www.eecs.utoledo.edu/~jwalden/