[To Aleph1: please kill my previous reply to Eric Griffis's patch; it
contains mostly the same content as my reply to Sylvain Robitaille's
patch, which I'd assumed you'd rejected.]
Eric Griffis's patch suffers from the same race condition as Sylvain
Robitaille's: the link could be created between the lstat() and the
bind(). It's better than nothing, but it doesn't get rid of the whole
problem.
As I said before, I haven't done any testing, so I don't know if this
would a) work, or b) be effective against the flaw, but: has anyone
considered an approach like adding this sort of code:
if (setregid(-1, pw->pw_gid) < 0 || setreuid(-1, pw->pw_uid) < 0) {
... /*error*/
}
before the bind() call, and:
if (setreuid(-1, 0) < 0) {
... /*error*/
};
after? (In case it's not clear, what I'm trying to do is assume the
user's uid/gid for the duration of the bind(), and reacquire root privs
afterwards.)
-- People shouldn't think that it's better to have
Dan Astoorian loved and lost than never loved at all. It's
Sysadmin, CS Lab not, it's better to have loved and won. All
djastat_private the other options really suck. --Dan Redican
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:24 PDT