Is BIRD on BSD a second class citizen?
Ondrej Zajicek
santiago at crfreenet.org
Fri Oct 4 01:00:50 CEST 2019
On Fri, Oct 04, 2019 at 12:00:16AM +0200, Maria Matejka wrote:
> > The two main points being so far:
> > - security: no privilege dropping on BSD
>
> This is not so easy when BIRD has to keep its privilege to open sockets
> on port < 1024. There would be three different implementations for
> FreeBSD, NetBSD and OpenBSD. And if I google it correctly, OpenBSD still
> doesn't allow dropping root privileges but keeping the right to open
It is not just ports, BIRD does plenty of privileged operations like
using raw sockets and updating kernel routing tables. On Linux, we can
just keep appropriate capabilities (like CAP_NET_ADMIN) while dropping
to non-root user.
--
Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
More information about the Bird-users
mailing list