0

I'm contributing to a routing daemon, and investigating security measures. The daemon, when running, talks to the kernel and installs routes. On Linux, as a good practice, if the daemon is launched as root (and properly configured) it will quickly drop privileges and switch to an unprivileged user/group, but retain the CAP_NET_ADMIN capability.

I'm looking for a similar mechanism to use on popular BSDs (FreeBSD, OpenBSD, macOS).

It seems that Mandatory Access Control at least on FreeBSD could be the way to go; but I'm not sure. I'd appreciate pointers to code or documentation.

Thanks!

Antonin Décimo
  • 499
  • 3
  • 17

1 Answers1

1

In NetBSD (by default), and I believe also in OpenBSD, the process making a request via the routing socket to either add or delete a route from the routing table(s) (or indeed to anything but get a route) must have an effective user-ID of zero (i.e. be "root"). I.e. the process cannot drop privileges after opening the routing socket and still modify the routing table(s) -- the privileges are checked at the time the routing request message is processed, not at the time the routing socket is first opened.

In NetBSD it would be possible to install a new security model in the kernel which could change this rule, but I don't know of one designed to do this specifically for routing tables. (OpenBSD does not use the NetBSD kauth subsystem.)

Greg A. Woods
  • 2,663
  • 29
  • 26