219 lines
6.7 KiB
Groff
219 lines
6.7 KiB
Groff
.\" $NetBSD: secmodel_bsd44.9,v 1.10 2007/01/09 12:49:36 elad Exp $
|
|
.\"
|
|
.\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. The name of the author may not be used to endorse or promote products
|
|
.\" derived from this software without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd December 26, 2006
|
|
.Dt SECMODEL_BSD44 9
|
|
.Os
|
|
.Sh NAME
|
|
.Nm secmodel_bsd44
|
|
.Nd traditional
|
|
.Nx
|
|
security model (based on
|
|
.Bx 4.4 )
|
|
.Sh SYNOPSIS
|
|
.In secmodel/bsd44/bsd44.h
|
|
.In secmodel/bsd44/securelevel.h
|
|
.In secmodel/bsd44/suser.h
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is the default security model in
|
|
.Nx .
|
|
It is the traditional security model based on
|
|
.Bx 4.4
|
|
and is composed of two main concepts, the
|
|
.Em super-user
|
|
and the
|
|
.Em securelevel .
|
|
.Ss Super-user
|
|
The
|
|
.Em super-user
|
|
is the host administrator, considered to have higher privileges than other
|
|
users.
|
|
It is the only entity the kernel recognizes by having an effective user-id
|
|
of zero.
|
|
.Ss Securelevel
|
|
The securelevel mechanism is intended to allow protecting the persistance
|
|
of code and data on the system, or a subset thereof, from modification, even
|
|
by the super-user, by providing convenient means of
|
|
.Dq locking down
|
|
a system to a degree suited to its environment.
|
|
.Pp
|
|
The super-user can raise the securelevel using
|
|
.Xr sysctl 8 ,
|
|
but only
|
|
.Xr init 8
|
|
can lower it.
|
|
.Pp
|
|
.Nm
|
|
provides four levels of securelevel, defined as follows:
|
|
.Bl -tag -width flag
|
|
.It \&-1 Em Permanently insecure mode
|
|
.Bl -hyphen -compact
|
|
.It
|
|
Don't raise the securelevel on boot
|
|
.El
|
|
.It \ 0 Em Insecure mode
|
|
.Bl -hyphen -compact
|
|
.It
|
|
The init process (PID 1) may not be traced or accessed by
|
|
.Xr ptrace 2 ,
|
|
.Xr systrace 4 ,
|
|
or procfs.
|
|
.It
|
|
Immutable and append-only file flags may be changed
|
|
.It
|
|
All devices may be read or written subject to their permissions
|
|
.El
|
|
.It \ 1 Em Secure mode
|
|
.Bl -hyphen -compact
|
|
.It
|
|
All effects of securelevel 0
|
|
.It
|
|
.Pa /dev/mem
|
|
and
|
|
.Pa /dev/kmem
|
|
may not be written to
|
|
.It
|
|
Raw disk devices of mounted file systems are read-only
|
|
.It
|
|
Immutable and append-only file flags may not be removed
|
|
.It
|
|
Kernel modules may not be loaded or unloaded
|
|
.It
|
|
The
|
|
.Va net.inet.ip.sourceroute
|
|
.Xr sysctl 8
|
|
variable may not be changed
|
|
.It
|
|
Adding or removing
|
|
.Xr sysctl 9
|
|
nodes is denied
|
|
.It
|
|
The RTC offset may not be changed
|
|
.It
|
|
Set-id coredump settings may not be altered
|
|
.It
|
|
Attaching the IP-based kernel debugger,
|
|
.Xr ipkdb 4 ,
|
|
is not allowed
|
|
.It
|
|
Device
|
|
.Dq pass-thru
|
|
requests that may be used to perform raw disk and/or memory access are denied
|
|
.It
|
|
.Em iopl
|
|
and
|
|
.Em ioperm
|
|
calls are denied
|
|
.It
|
|
Access to unmanaged memory is denied
|
|
.El
|
|
.It \ 2 Em Highly secure mode
|
|
.Bl -hyphen -compact
|
|
.It
|
|
All effects of securelevel 1
|
|
.It
|
|
Raw disk devices are always read-only whether mounted or not
|
|
.It
|
|
New disks may not be mounted, and existing mounts may only be downgraded
|
|
from read-write to read-only
|
|
.It
|
|
The system clock may not be set backwards or close to overflow
|
|
.It
|
|
Per-process coredump name may not be changed
|
|
.It
|
|
Packet filtering and NAT rules may not be altered
|
|
.El
|
|
.El
|
|
.Pp
|
|
Highly secure mode may seem Draconian, but is intended as a last line of
|
|
defence should the superuser account be compromised.
|
|
Its effects preclude
|
|
circumvention of file flags by direct modification of a raw disk device,
|
|
or erasure of a file system by means of
|
|
.Xr newfs 8 .
|
|
Further, it can limit the potential damage of a compromised
|
|
.Dq firewall
|
|
by prohibiting the modification of packet filter rules.
|
|
Preventing
|
|
the system clock from being set backwards aids in post-mortem analysis
|
|
and helps ensure the integrity of logs.
|
|
Precision timekeeping is not
|
|
affected because the clock may still be slowed.
|
|
.Pp
|
|
Normally, the system runs in securelevel 0 while single-user and in
|
|
securelevel 1 while multi-user.
|
|
If a higher securelevel is desired while running multi-user,
|
|
it can be set using the
|
|
.Em securelevel
|
|
keyword in the startup script
|
|
.Pa /etc/rc.conf ,
|
|
see
|
|
.Xr rc.conf 5
|
|
for details.
|
|
Lower securelevels require the kernel to be compiled with
|
|
.Sy options INSECURE ,
|
|
causing it to always default to securelevel \-1.
|
|
.Pp
|
|
In order for this protection to be effective, the administrator
|
|
must ensure that no program that is run while the security level
|
|
is 0 or lower, nor any data or configuration file used by any such
|
|
program, can be modified while the security level is greater than
|
|
0.
|
|
This may be achieved through the careful use of the
|
|
.Dq immutable
|
|
file flag to define and protect a Trusted Computing Base (TCB)
|
|
consisting of all such programs and data, or by ensuring that all
|
|
such programs and data are on filesystems that are mounted read-only
|
|
and running at security level 2 or higher.
|
|
.Em Particular care must be taken to ensure, if relying upon
|
|
.Em security level 1 and the use of file flags, that the integrity of the
|
|
.Em TCB cannot be compromised through the use of modifications to the
|
|
.Em disklabel or access to overlapping disk partitions, including the
|
|
.Em raw partition .
|
|
.Pp
|
|
Do not overlook the fact that shell scripts (or anything else fed to an
|
|
interpreter, through any mechanism) and the kernel itself are "programs
|
|
that run while the security level is 0" and must be considered part of
|
|
the TCB.
|
|
.Sh SEE ALSO
|
|
.Xr kauth 9 ,
|
|
.Xr secmodel 9
|
|
.Sh AUTHORS
|
|
.An Elad Efrat Aq elad@NetBSD.org
|
|
.Sh BUGS
|
|
Systems without
|
|
.Xr sysctl 8
|
|
behave as though they have security level \-1.
|
|
.Pp
|
|
The security level 2 restrictions relating to TCB integrity protection
|
|
should be enforced at security level 1.
|
|
Restrictions dependent upon security level but not relating to TCB
|
|
integrity protection should be selected by
|
|
.Xr sysctl 8
|
|
settings available only at security level 0 or lower.
|