[8981] in bugtraq
Re: Wiping out setuid programs
daemon@ATHENA.MIT.EDU (Thamer Al-Herbish)
Thu Jan 7 19:00:38 1999
Date: Wed, 6 Jan 1999 23:53:01 -0800
Reply-To: Thamer Al-Herbish <shadows@WHITEFANG.COM>
From: Thamer Al-Herbish <shadows@WHITEFANG.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990106040754.18811.qmail@cr.yp.to>
On Wed, 6 Jan 1999, D. J. Bernstein wrote:
> In every case the file access could be moved to a non-setuid daemon that
> accepts UNIX-domain connections from unprivileged user programs. This
> would wipe out a huge number of local security holes.
I really think this is overrated. All a client-server model would do
is eliminate process attribute inheritance. It would prevent
environment variables from being inherited, file descriptors etc.
Sure, these do cause security holes, but let's not forget the
plethora of other holes caused by buffer overruns, race conditions
et al. which occur regardless of attribute inheritance.
> http://pobox.com/~djb/docs/secureipc.html
Add SCM_CREDS on FreeBSD and BSD/OS to the list.
Here's your problem, you already have:
Linux : SO_PEERCRED
FreeBSD: SCM_CREDS
BSD/OS: SCM_CREDS (different from FreeBSD)
NetBSD: LOCAL_CREDS
Solaris: Doors
Too many, making life very unportable. Is there a mention of any
of these in any standard?
Another way, that Thomas Ptacek had mentioned this a while back on
comp.security.unix, includes passing a file descriptor that is only
readable by its owner (SCM_RIGHTS). An fstat() will give you the
owner of the file, and thus you'd know the peer's effective user ID.
Here's another question, apart from Bernstein's paper, has anyone
written formal papers on this technique? I'm looking to reference
some papers for some writing.
--
Thamer Al-Herbish PGP public key:
shadows@whitefang.com http://www.whitefang.com/pgpkey.txt
[ Maintainer of the Raw IP Networking FAQ http://www.whitefang.com/rin/ ]