On Wed, 6 Jan 1999, D. J. Bernstein wrote: > In every case the file access could be moved to a non-setuid daemon that > accepts UNIX-domain connections from unprivileged user programs. This > would wipe out a huge number of local security holes. I really think this is overrated. All a client-server model would do is eliminate process attribute inheritance. It would prevent environment variables from being inherited, file descriptors etc. Sure, these do cause security holes, but let's not forget the plethora of other holes caused by buffer overruns, race conditions et al. which occur regardless of attribute inheritance. > http://pobox.com/~djb/docs/secureipc.html Add SCM_CREDS on FreeBSD and BSD/OS to the list. Here's your problem, you already have: Linux : SO_PEERCRED FreeBSD: SCM_CREDS BSD/OS: SCM_CREDS (different from FreeBSD) NetBSD: LOCAL_CREDS Solaris: Doors Too many, making life very unportable. Is there a mention of any of these in any standard? Another way, that Thomas Ptacek had mentioned this a while back on comp.security.unix, includes passing a file descriptor that is only readable by its owner (SCM_RIGHTS). An fstat() will give you the owner of the file, and thus you'd know the peer's effective user ID. Here's another question, apart from Bernstein's paper, has anyone written formal papers on this technique? I'm looking to reference some papers for some writing. -- Thamer Al-Herbish PGP public key: shadowsat_private http://www.whitefang.com/pgpkey.txt [ Maintainer of the Raw IP Networking FAQ http://www.whitefang.com/rin/ ]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:50 PDT