[1084] in linux-security and linux-alert archive
Re: [linux-security] Re: RESOLV_HOST_CONF
daemon@ATHENA.MIT.EDU (Keith Owens)
Tue Aug 27 07:57:44 1996
Date: Tue, 27 Aug 1996 10:58:31 +1000 (EST)
From: Keith Owens <kaos@audio.apana.org.au>
To: Daniel Bromberg <ddaniel@furlong.jpl.nasa.gov>
cc: Joshua Cowan <jcowan@jcowan.reslife.okstate.edu>,
linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199608260046.RAA04384@furlong.jpl.nasa.gov>
On Sun, 25 Aug 1996, Daniel Bromberg wrote:
> I propose a blanket solution: have the kernel manipulate the
> environment passed to the setuid program in a safe manner. [snip]
>
> [REW: The kernel is not equipped to mess with environment variables.
> The kernel can't really go about reading config files.
> Originally "environment variables" was a userlevel hack. I don't think
> that this is a good solution. It prohibits general solutions.
How about the best of both worlds. kernel detects suid/sgid programs and,
instead of running them directly, starts a trusted wrapper program. The
wrapper reads its configuration files (not the kernel), decides if the user
can run the program, changes environment, selects libraries, logs the use
etc. then finally runs the target program. The equivalent of TCP wrappers
for sensitive binaries.
[REW: You don't need the kernel to detect this. If you want this
behaviour, you can remove all the s-bits on your system and instead
install a wrapper in their place(*). It can then do all the things you
want before executing the original program...... This is then again a
setuid program which nees to be reasonably secure.....
(*) chmod -s sendmail; mv sendmail sendmail.orig; ln -s wrapper sendmail]