[588] in linux-security and linux-alert archive
Re: BoS: Re: XFree86 3.1.2 Security Problems
daemon@ATHENA.MIT.EDU (Patrick Powell)
Wed Jan 31 17:21:13 1996
Date: Tue, 30 Jan 1996 06:43:42 -0800
From: Patrick Powell <papowell@sdsu.edu>
To: bvwilder@y.cs.rhbnc.ac.uk, nobody@mail.uu.net
Cc: best-of-security@suburbia.net, beta@xfree86.org, bugtraq@CRIMELAB.COM,
davem+@andrew.cmu.edu, linux-alert@tarsier.cv.nrao.edu,
linux-security@tarsier.cv.nrao.edu
Folks, I went through exactly the same thing when I developed the LPRng
print spooler package. The solution that I used for the problem was as
follows:
1. In the startup code, use seteuid()/setreud() to set
EUID to something banal such as daemon, and RUID to root.
(you might want to save the original RUID for permissions checking).
2. Do all operations EXCEPT socket() and bind() calls as EUID daemon.
It turns out that on some ^&*(*&*( systems when you want to bind
to a reserved port, you must open the socket EUID ROOT and to the
bind EUID root.
3. Before you do an exec, do a seteuid/setuid
to the original user and/or daemon UID (your application milage may
vary on this).
Now this sounds brutal, and it is. But look at is this way:
you do things as ROOT only for those things that absolutely require it,
and never pass on the EUID root capability to children.
This should be relatively painless to do.
Patrick ("I have a choice of having some of my fingernails pulled off
with red hot pincers, or rewriting my code? Umm... how many
fingernails? Do I get to choose the hand?") Powell
Dept. Electrical and Computer Engineering,
San Diego State University,
San Diego, CA 92182-1309
Office (619) 594-7796; Lab (619) 594-7578 FAX (619) 594-7577
email: papowell@sdsu.edu
