[9018] in bugtraq
Re: Wiping out setuid programs
daemon@ATHENA.MIT.EDU (Alan Cox)
Sun Jan 10 13:41:16 1999
Date: Sat, 9 Jan 1999 23:46:02 +0000
Reply-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
X-To: djb@CR.YP.TO
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990109105854.3085.qmail@cr.yp.to> from "D. J. Bernstein" at
Jan 9, 99 10:58:54 am
> Given widespread kernel support for getpeereuid(), it's easy to split a
> setuid program. All you have to do is identify the atomic operations
> that the program performs upon restricted files, and move the code for
> those operations to a separate daemon.
getpeeruid() is the wrong semantics though. If you look at the Linux
credential passing it is done per message. A blind implementation of
uid per socket pair makes it rather hard to handle datagram based
services, to pick up on uid changes the other end etc.
Alan
