[nycbug-talk] BSD Chapter in HLE

Ray Lai nycbug at cyth.net
Sun Sep 17 02:20:31 EDT 2006

On Fri, Sep 15, 2006 at 06:32:24PM -0400, Dru wrote:
> On Fri, 15 Sep 2006, Ray Lai wrote:
> >chroot and dropping privileges is important.  root can break out of a
> >chroot, so you must change to an unprivileged user.  Additionally,
> >OpenBSD creates new users and groups for each privilege-revoking
> >program, so one cannot another.
> Privilege separation is good and something I'd like to learn more about. 
> Is this always on a per-application basis (e.g. openssh, tcpdump)? Other 
> than Neils' paper, are there other good explanatory references, preferably 
> not at an overly technical level I can use as a resource to refer to. 
> Otherwise, I'll try to "dumb down" a technical reference to a paragraph or 
> so to explain the concept.

Privilege separation limits each application's abilities to the bare
minimum.  This is done by first opening the necessary files, binding to
the necessary ports, and doing anything else that is required while it
is still unhindered.  The application then removes access to all files
in the filesystem by chrooting to an empty directory, typically
/var/empty.  Finally, it removes root's abilities (breaking out of
chroot, binding to privileged ports, et cetera) by changing to an unused
user and group.  It is important to change to an unused user because
processes can send signals to other processes of the same user, such as
the kill signal.


More information about the talk mailing list