FreeBSD Security in Multiuser Environments

[Dag-Erling Smørgrav]

schultz at ime.usp.br writes:
>   * Encrypted the whole (except /boot) system with geli(8)
>     (HMAC/SHA256 and AES-XTS). It is not as nice and much slower
>     than proper filesystem-level checksumming but it is what
>     FreeBSD provides (ZFS is too unstable).

ZFS is stable enough, but I'm a little confused: encryption is not
"checksumming", and ZFS provides checksums but not encryption.

>   * Disabled useless and potentially dangerous services: cron, devd
>     and sendmail.

These services are neither useless nor dangerous.

>   * Removed every setuid bit. The system works even then.

except users are no longer able to change their password or shell.

>   * Added a group sudoers and made sudo setuid only to users in
>     sudoers: would have avoided trouble with recent sudo exploit if
>     only trusted users have slaves.

I'm not sure what "made sudo setuid only to users in sudoers" means.
Perhaps you mean "executable only by users in sudoers"?

Also...  all this and you didn't raise the securelevel?  Didn't set
system binaries schg?  Didn't remove unwanted binaries like rcp(1),
rlogin(1), at(1) etc?

> As for using sudo to grant privilege, for each master-slave
> relationship between users u and v, I have added a line like
> "u ALL = (v) NOPASSWD: ALL" to /etc/sudoers. Then the user u is
> supposed to become v by issuing "sudo -i -u v" and to execute a
> command as v by issuing "sudo -i -u v ...".

I'm surprised there isn't a sudoers option to force -i; I'm sure Todd
Miller would be happy for a patch :)

DES
-- 
Dag-Erling Smørgrav - des at des.no