GSoC: Privilege separation in DragonflyBSD

Loganaden Velvindron loganaden at gmail.com
Tue Apr 24 23:33:05 PDT 2012


Name: Loganaden Valaydon Velvindron

Email: loganaden at gmail.com

Physical address: 88, Avenue de Plevitz, Roches Brunes, Rose-Hill

Phone number (include country and area code):

(230) 9762817

Link to BSD work:

http://www.freshbsd.org/search?q=loganaden+velvindron



Links to prior code related to this area of work:

 ftp://ftp.irisa.fr/pub/OpenBSD/src/lib/libutil/imsg.c

ftp://ftp.irisa.fr/pub/OpenBSD/src/lib/libutil/imsg.h

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/syslogd/syslogd.c.diff?r1=1.64;r2=1.65;f=h

http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/syslogd/privsep_fdpass.c?rev=1.7;content-type=text%2Fplain

http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/tcpdump/privsep_pcap.c?rev=1.16;content-type=text%2Fplain

http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/tcpdump/privsep_fdpass.c?rev=1.7;content-type=text%2Fplain

http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/tcpdump/privsep.h?rev=1.7;content-type=text%2Fplain

http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/tcpdump/privsep.c?rev=1.30;content-type=text%2Fplain

Breakdown of the work you expect to do each week of the project:

The imsg API is a simple framework that was designed to make it easy
to write privileged-separated daemons. It is developed as part of the
OpenBSD project.



The advantages of the imsg framework is that it is minimalistic in
nature, and isactively being developed. Other privilege-separation
frameworks such as privman are no longer actively maintained and make
a number of assumptions that maynot apply to all daemons. imsg was
developed as a simple and reliable RPC mechanism, and it has been
found suitable for implementing privilege separation.

Another approach which is interesting to consider is postfix.
http://www.postfix.org/security.html Postfix uses separate processes
that communicate among themselves. However, this approach requires
significant re-write from scratch which may be difficult to complete
given our timeframe.

OpenBSD has also been using privilege separation since 2002, and their
code is considered very mature.



1st week, We need to import the imsg.{c,h} from OpenBSD into DragonflyBSD.

Then, we will need to sync with the latest changes in OpenBSD as some
daemons (dhclient. Dhcpcd) have moved to the imsg framework. Joerg
Sonnenberger & Hasso Tapper already started some of that work but it?s
a bit incomplete.

A cursory look at privsep.c in dhclient shows that it was last updated
in 2008. OpenBSD has been making fixes to privsep.c. Quote from a
recent commit message in 2011:

``Dump some useless calls to dhclient-script. i.e. MEDIUM, PREINIT,
ARPSEND, ARPCHECK. Drop support for 'media', 'medium' and 'alias'
specifications in dhclient.conf. Old leases still parse but these
options now have no effect.

Be more polite and decline all offers we don't accept. Fix a IMSG
length check. ''



If the import causes any conflict with the local patches, the latter
will need to

be adapted to fit with imsg framework. In case that these 2 conflict,
then the privilege separation may need to be loosen up a bit.

It's important to keep in sync with the latest privsep changes as
subtle bugs are

still being found.



As to how to quantify performance, some figures are already available:

http://www.citi.umich.edu/u/provos/papers/privsep.pdf

Chapter 6 shows that the performance penalty for the complex ssh
daemon was minimal as long as the data that needs to be moved from
master to slave process

through IPC is small. This will need to be kept in mind when applying privsep to

dntpd.



2nd-3rd week: Privilege separate syslogd by importing patches from openbsd.

syslogd could break when creating new files outside the chrooted
directory (/var/log/).

The only difference from existing behaviour is that if syslog.conf
changes and syslogd receives a HUP, it will re-exec itself and have
two new PIDs. A HUP with an unchanged config will make syslogd reopen
logfiles as before.

Additionally, it will involve splitting the code as dflybsd's syslogd
is monolithic compared to openbsd's syslogd. the tty handling code
will need to be moved, as

it requires special handling with the rpc.

 Once the code is properly split, we can start applying privilege separation.



4th-5th week: Privilege separate dntpd from scratch. A look at ntpd in
openbsd would be interesting as the latter was designed from scratch
and incorporates privilege separation.

logging & dns will break. The master will need to read the logs and
resolve dns for

the slave process. This will involve some strict checks as the slave
process is untrusted.

 Since the master calls the time system calls (adjtime, settime), a
delay is inevitable as those messages are sent through RPC. This has
been considered acceptable in openntpd.



6th-9th week: Privilege separate tcpdump. This will probably be the
most complicated among the demons due to the complexity inherent in
tcpdump. Patches from openbsd are available.

 dns & writing to a file using -W option can break since tcpdump is
chrooted to /var/log/

Master process needs to be able to do the following tasks and sent the results

through rpc to the slave process:

gethostbyaddr, ether_ntohost, getrprcbynumber, getservenetries, localtime.







More information about the Kernel mailing list