Re: the watchdog of login program

[Thomas Bushnell BSG]

Roland McGrath <roland@frob.com> writes:

> > More exactly, you mean before calling proc_setowner.
> 
> Yes.
> 
> > We should be more careful here.  
> 
> How?

As I described below. :)

> > For all we know, we have big giant hairy port leaks in the startup code
> > for the Hurd, and every process in the system is running as root.
> 
> Not if there are EXEC_NEWTASK execs involved.  

Ok, that's true, EXEC_NEWTASK is good enough for the general case.

> Like I said, there might be leaks in login I haven't though of.  Using
> EXEC_NEWTASK is the way to be sure none survive, but there will be a window
> between proc_setowner and the exec completing where the target owner can
> hijack the login process and exploit any leaks.  We can avoid that by using
> EXEC_SECURE instead, and just not calling proc_setowner at all.  Then exec
> will use proc_setowner on the fresh task's proc port after proc_reassign.

Ah, good idea.  I think EXEC_SECURE is perhaps the best solution
here.  

> That is nuts.  You don't know what you are talking about proc and
> startup programs for.  There is no problem with them.  We are
> talking about login here.

Given the normal use of EXEC_NEWTASK, you are right.

Thomas