[cap-talk] DJB on Least Privilege

Jed Donnelley jed at nersc.gov
Mon Nov 12 19:23:52 EST 2007 

On 11/3/2007 9:05 AM, Toby Murray wrote:
> An interesting paper has appeared from Daniel Bernstein: "Some thoughts
> on security after ten years of qmail".
> 
> http://cr.yp.to/qmail/qmailsec-20071101.pdf
> 
> Lots of good insights...

I'd like to pick up another point or two on the above paper.

I want to take issue with 2.5  Distraction 2: minimizing
privilege.

He gives the example of Netscape's "DNS Helper"
where he suggest that the elimination of it's
authority to access local disk files is a
distraction because:
___________
The situation before
[11] was that bugs in the “DNS helper” had the power to vi-
olate the user’s security requirements and therefore needed
to be fixed;

the situation after [11] was that bugs in the
“DNS helper” had the power to violate the user’s security
requirements and therefore needed to be fixed.
___________

I take issue with the notion that "security requirements"
are all of a piece.  E.g. in this case suppose I use
the Petname toolbar (as I do), and I only trust Web
sites that I have verified through independent means
through a certificate handshake.  In this case a
DNS mapping is really just a hint - not something
I depend on for security.

In that case one could argue that after having access
to my local files removed, correct operation of
DNS helper was no longer a security requirement.

Certainly it's a good idea to fix all bugs. Even
bugs that only result in feature failure (e.g.
DNS hints) can still cause problems.  Also, even
if one considers DNS mapping a security issue,
knowing that a failure of the DNS helper code
can't modify my local disk files is a huge
help.  If such a bug is found and I see from
logs that it's been exploited, then at least I
don't start having to restore from backups,
etc.  I can just review any potential consequences
from failure to correctly map DNS names.

Having said all the above, I agree with Toby's
point that if one starts with programs having
no authority and then just grant them the
authority that they need to do their work,
the process of controlling POLA is greatly
simplified.

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list