www.Lucq.org
 |
 |
 |
 |
 |
 |
 |
 |
 |
Adding POSIX/1.e extensions to OpenBSD
Introduction and disclaimer
Even though OpenBSD has a good track record in the area of security (especially through the code auditing process), it lacks several operating system features for increased security. The (now defunct) draft POSIX/1.e extensions are an example of this; they include features such as fine-grained filesystem access control lists (ACLs), mandatory access control (MAC), capabilities, and fine-grained system auditing. On this page I provide some patches that attempt to integrate some of these features into OpenBSD. They include ports of other people's code, as well as some code of my own. If you have remarks or questions, feel free to drop me a note (but note that I this code is not a priority for me, I work on it when I have time and when I am in the mood). In general, you should use OpenBSD-current to test these patches, and you should use the most recent version of the patch.
I cannot be held responsible for direct or indirect damage, or any other consequence, of using, not using, or using incorrectly the information contained on this page, or linked to from this page.
Reference information
-
The TrustedBSD project (http://www.trustedbsd.org/), which aims to integrate advanced security features into FreeBSD.
- The (defunct) POSIX/1.e draft standard, Posix_1003.1e-990310.pdf.
- The (defunct) POSIX/2.c draft standard, Posix_1003.2c-990310.pdf.
- Summary about POSIX/1.e (http://wt.xpilot.org/publications/posix.1e/).
Filesystem ACLs
Currently OpenBSD uses the traditional UNIX user/group/world filesystem access rights. This patch, which is an OpenBSD port of the ACL code from FreeBSD 5.0 (the original ACL code was written by people from the TrustedBSD project), attempts to introduce more fine-grained filesystem ACLs into OpenBSD. These extend the existing mechanism by allowing permissions to be granted on a discretionary basis to more than one user and/or group. These filesystem ACLs currently rely on the presence of the extended attribute code.
| Patch | Dates from | Against tree | Notes |
| acl-20020402-1519.tgz | 2002/04/02 15:19 | OpenBSD 3.0-current 2002/04/02 15:19 | First public release. Briefly,
it compiles (both kernel and userland) without errors, ACLs appear
to work as expected at first glance. The while thing needs thorough
code reviewing and testing (also on other architectures than i386). |
| acl-20020408-1633.tgz | 2002/04/08 16:33 | OpenBSD 3.0-current 2002/04/02 15:19 | The patch is now split in three
parts: some additions to the Extended Attributes code that are needed
by the ACL code, the kernel part of the ACL code, and the userland
part (additions to libc, /bin/getfacl and /bin/setfacl) of the ACL
code. Also, the first two parts have been given a review, and some
minor things were changed as a result. |
| acl-20020409-1540.tgz | 2002/04/09 15:40 | OpenBSD 3.0-current 2002/04/02 15:19 | Further review of the libc additions
resulted in minor fixes in this area. |
| acl-20020524-1424.tgz | 2002/05/24 14:24 | OpenBSD 3.1-current 2002/05/13 09:43 | Several fixes in Extended Attributes
code, migrated ACL code from MALLOC to pools, fixes by drahn@, minor
fixes in man-pages. Still in need of testing... This diff is not
split in three parts anymore, mainly due to laziness... |
| acl-20020626-1533.tgz | 2002/06/26 15:33 | OpenBSD 3.1-current 2002/06/24 17:26 | Sync'ed with new version of -current.
The archive contains two patches (-1 and -2) which should be applied
sequentially. Some new man-pages, some fixes to pool migration code,
two changes to EA-related code, minor stuff from FreeBSD. |
| acl-20020802-1128.tgz | 2002/08/02 11:28 | OpenBSD 3.1-current 2002/07/31 19:13 | Sync with FreeBSD repository (bugfix
in kern_acl.c). |
| acl-20020821-1531.tgz | 2002/08/21 15:13 | OpenBSD 3.1-current 2002/08/20 15:45 | Locking fixes. Sync'ed with new
version of -current. |
Trusted auditing
At the moment, OpenBSD lacks an industry-grade auditing subsystem. Such a subsystem would allow an administrator to collect detailed information about the actions taken by users of a system, and by daemons, with sufficient information about each action (e.g. time stamp, user and process information, status of the action, etc.). The audit component of the POSIX/1.e draft standard provides a reasonable starting point for such an audit framework. The code provided here is a port of the initial TrustedBSD audit effort, which attempted to implement such an audit subsystem.
Note that development has halted for now on this component, since its structure needs to be rethought, in order to minimize the performance hit this subsystem implies, and in order to properly integrate it with other components.
| Patch | Dates from | Against tree | Notes |
| audit-20011024-0938.tgz | 2001/10/24 09:38 | OpenBSD 3.0-stable 2001/10/19 11:32 | First public release. |
| audit-20011026-1115.tgz | 2001/10/26 11:15 | OpenBSD 3.0-stable 2001/10/19 11:32 | Initial logging of execve syscall.
Fixed a buffer overflow in the userland code. Various internal modifications. |
| 2002/02/25 11:37 | Development is temporarily halted.
I'm waiting for coming developments in the TrustedBSD audit component.
Also see the note above. |
NETWORK_PORT_ACL
In a traditional BSD-ish UNIX a process needs to be UID 0 in order to be able to bind to one of the so-called privileged network (TCP/UDP) ports (these are the TCP/UDP ports in the range 1 through 1023). In my opinion this requirement is hideous; it is one of the reasons that processes like named and httpd need to start out as root. This patch tries to address this, by providing a simplistic ACL model for privileged port binding. For example, you can now allow UID 67 (user “www”) to bind to port 80 (and only to this port).
To install, first apply the patch to your kernel sources. Then, make sure option NETWORK_PORT_ACL is enabled, and recompile the kernel and userland, and reboot with the new kernel. Then, check the EXAMPLES section in sysctl(8) for information on how to set things up.
Also note that this is strictly speaking not a POSIX/1.e extension; it's something of my own imagination instead.
| Patch | Dates from | Against tree | Notes |
| network_port_acl-20020327-0927.tgz | 2002/03/27 09:27 | OpenBSD 3.0-current 2002/03/15 10:25 | First public release. This patch
needs thorough testing and eyeballing. |
| network_port_acl-20020822-0944.tgz | 2002/08/22 09:44 | OpenBSD 3.1-current 2002/08/20 15:45 | Quick integration of the patch
into -curent. Note that I still consider this to be a quick hack,
ideally to be replaced by a more comprehensive mechanism such as
MAC or DTE. |
| network_port_acl-20020823-1122.tgz | 2002/08/23 11:22 | OpenBSD 3.1-current 2002/08/23 11:22 | Doh. This is what you get when
you have several development trees on the same system. The previous
patch was somewhat messed up, this patch fixes that. |
Copyright
© 2001, 2002 by Daniel Lucq