[To Aleph1: please kill my previous reply to Eric Griffis's patch; it contains mostly the same content as my reply to Sylvain Robitaille's patch, which I'd assumed you'd rejected.] Eric Griffis's patch suffers from the same race condition as Sylvain Robitaille's: the link could be created between the lstat() and the bind(). It's better than nothing, but it doesn't get rid of the whole problem. As I said before, I haven't done any testing, so I don't know if this would a) work, or b) be effective against the flaw, but: has anyone considered an approach like adding this sort of code: if (setregid(-1, pw->pw_gid) < 0 || setreuid(-1, pw->pw_uid) < 0) { ... /*error*/ } before the bind() call, and: if (setreuid(-1, 0) < 0) { ... /*error*/ }; after? (In case it's not clear, what I'm trying to do is assume the user's uid/gid for the duration of the bind(), and reacquire root privs afterwards.) -- People shouldn't think that it's better to have Dan Astoorian loved and lost than never loved at all. It's Sysadmin, CS Lab not, it's better to have loved and won. All djastat_private the other options really suck. --Dan Redican
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:24 PDT