OpenBSD Journal

Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD

Contributed by grey on from the Remember when systrace was the new hawtness? This editor does. dept.

Florian Obser wrote an extensive piece with great attention to detail titled: Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD.

As implied by the article's title, Florian's writing covers a wide range of exploit mitigation efforts within OpenBSD. Early examples such as previous attempts at privilege dropping in ping(8) are explored from 26 years ago. Progressing towards the present, Florian moves onto reflections involving systrace(4) which was shown to the world by Niels Provos at CanSecWest in 2002. However, as Florian describes some of systrace's shortcomings, readers are provided with insights into the eventual motivation behind pledge(2) having resulted from code previously evolved out of tame(2) and now more widely available and deployed in OpenBSD in complement to unveil(2). Florian continues writing about privilege separation in dhcpleased(8) though makes passing mention that similar techniques were used in slaacd(8) and unwind(8). This editor will note: some of that sort of defense in depth design seems as if it may have been inspired by prior art in MTAs such as djb's qmail or Wieste Venema's Postfix?

This meditation is a deep dive with historical perspective on where some past mitigation approaches went sideways or were less tenable. Code excerpts abound. Florian's footnotes even share some thoughts on how similar challenges are addressed not just within OpenBSD but in how at least one other operating system has attempted to provide their own mitigation framework.

(Comments are closed)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]