[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
dropping setuid/setgid privileges, round 2
From: |
Bruno Haible |
Subject: |
dropping setuid/setgid privileges, round 2 |
Date: |
Thu, 11 Jun 2009 19:44:41 +0200 |
User-agent: |
KMail/1.9.9 |
Just came across these two articles, which goes into the same direction as
"Setuid demystified":
* Dan Tsafrir, Dilma da Silva, David Wagner: The Murky Issue of Changing
Process Identity: Revising "Setuid Demystified"
<http://www.eecs.berkeley.edu/~daw/papers/setuid-login08b.pdf>
<http://code.google.com/p/change-process-identity/>
* Dhruv Mohindra: Observe correct revocation order while relinquishing
privileges
<https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges>
The interesting points in this article:
* There are two types of processes that need to drop privileges:
- Those which are installed as setuid/setgid binaries,
- Those which are usually run as root.
The gnulib functions, so far, are useful only for the first case.
* What happens with the supplementary groups? They are not changed
by setuid, setgid. They don't exist in a "real" vs. "effective" flavour.
So the process may be up running with the effective uid and gid of one
user and with the supplementary groups of another user. Sometimes this
is desired, sometimes not...
* Regarding abort() vs. "return -1" - hi Sam! -, they say:
"But while reporting failure through return values is possible, we advise
against it, as it might leave the identity in an inconsistent state. Thus,
when an identity change fails in the middle, programmers should either
abort, or really know what they’re doing."
* Their functions take the target credentials as arguments, while the
gnulib functions take no arguments, for ease of use.
* On FreeBSD, the setgroups() system call is not POSIX compliant: It affects
the effective gid. coreutils/src/setuidgid.c works around this problem,
but a comment about this portability problem would be nice.
* AIX 5.3 appears to have a function getuidx()
<http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.ibm.aix.basetechref/doc/basetrf1/getuid.htm>
that could be used to implement getresuid() on this system.
Bruno
- dropping setuid/setgid privileges, round 2,
Bruno Haible <=
- Re: dropping setuid/setgid privileges, round 2, Sam Steingold, 2009/06/12
- Re: abort() traceability, Bruno Haible, 2009/06/15
- Re: abort() traceability, Eric Blake, 2009/06/15
- Re: abort() traceability, Ben Pfaff, 2009/06/15
- Re: abort() traceability, Sam Steingold, 2009/06/15
- Re: abort() traceability, Simon Josefsson, 2009/06/15
- Re: abort() traceability, Ben Pfaff, 2009/06/15