Re: Wiping out setuid programs

From: Alan Cox (alanat_private)
Date: Sat Jan 09 1999 - 15:46:02 PST

Next message: Pete Kruckenberg: "Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)"

Previous message: D. J. Bernstein: "Re: Wiping out setuid programs"
Maybe in reply to: D. J. Bernstein: "Wiping out setuid programs"
Next in thread: Steven M. Bellovin: "Re: Wiping out setuid programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Given widespread kernel support for getpeereuid(), it's easy to split a
> setuid program. All you have to do is identify the atomic operations
> that the program performs upon restricted files, and move the code for
> those operations to a separate daemon.

getpeeruid() is the wrong semantics though. If you look at the Linux
credential passing it is done per message. A blind implementation of
uid per socket pair makes it rather hard to handle datagram based
services, to pick up on uid changes the other end etc.

Alan

Next message: Pete Kruckenberg: "Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)"
Previous message: D. J. Bernstein: "Re: Wiping out setuid programs"
Maybe in reply to: D. J. Bernstein: "Wiping out setuid programs"
Next in thread: Steven M. Bellovin: "Re: Wiping out setuid programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:18 PDT