[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: dropping setuid/setgid privileges
From: |
Sam Steingold |
Subject: |
Re: dropping setuid/setgid privileges |
Date: |
Tue, 9 Jun 2009 09:47:25 -0400 |
On Tue, Jun 9, 2009 at 5:07 AM, Bruno Haible<address@hidden> wrote:
> Sam Steingold wrote:
>>
>> down with the nannies!
>> let us assume that I threw in the anti-totalitarian-programming
>> diatribe here. :-)
>
> I call it collaborative programming: I program something, and users report
> bugs, until the code gets better. :-)
this has nothing to do with collaboration and everything to do with
forcing inappropriate behavior on the users of your code.
>> you could easily make it suitable for libraries too by returning an
>> exit code
>
> The point is not the return code. It's about the amount of things that
> you have to check in order to be sure that you are not distributing a
> security vulnerability.
>
> For the idpriv-drop module the doc says (thanks James!):
>
> Note: There may still be security issues if the privileged task puts
> sensitive data into the process memory or opens communication channels
> to restricted facilities.
>
> For the idpriv-droptemp module it's even worse:
>
> there are additionally the dangers that
> - Any bug in the non-privileged part of the program may be used to
> create invalid data structures that will trigger security
> vulnerabilities in the privileged part of the program.
> - Code execution exploits in the non-privileged part of the program may
> be used to invoke the function that restores high privileges and then
> execute additional arbitrary code.
>
> In the situation of a library you cannot foresee, not even check, the
> possible interactions of the sensitive data structures and the code outside -
> because by definition, the code outside is not limited to your source
> repository.
>
> That's why these two modules make sense only in executables, and the second
> one only in *small* executables which you completely overlook.
blah-blah-blah.
so, you are _intentionally_ making your code useless to me because you
_think_ it is not appropriate for me to use it.
the net result is that I will be using a worse piece of code instead
of your good code, and my users will be _less_ secure as a result of
your grandstanding.
--
Sam Steingold <http://sds.podval.org>
- Re: dropping setuid/setgid privileges, (continued)
Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/08
- Re: dropping setuid/setgid privileges, Sam Steingold, 2009/06/08
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/08
- Re: dropping setuid/setgid privileges, Sam Steingold, 2009/06/08
- Re: dropping setuid/setgid privileges, James Youngman, 2009/06/09
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/09
- Re: dropping setuid/setgid privileges,
Sam Steingold <=
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/09