[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Otpasswd-talk] Mode of operation discussion
|
From: |
Tomasz bla Fortuna |
|
Subject: |
[Otpasswd-talk] Mode of operation discussion |
|
Date: |
Thu, 7 Jan 2010 00:27:21 +0100 |
Hi,
$USER is user otpasswd is supposed to run as; defined in config.
1) DB=user mode is clear. No SUID.
For clearance and easy swapping:
/etc/otpasswd should be owned by $USER
/etc/otpasswd.conf should be owned by root and world readable.
Even if utility is SUID it will drop permissions right after it reads
config with DB=user option. It will drop permissions back to the user
who called it.
2) DB=global.
/etc/otpasswd as in 1), otshadow owned by $USER (will be created if
doesn't exists)
a) SGID can't be used because we won't be able to stop user from
sending us SIGSTOP when state is locked.
b) SUID $USER is generally ok, BUT:
If utility is compromised then attacker can change executable and later
when it's run by root install rootkit.
c) SUID root.
Running sequence as follows:
- If root:
- Have capabilities? - strip all capabilities except for
setuid.
- Read config file
- Since we now knew $USER drop permissions to $USER.
- Do dangerous stuff like parsing user input.
I do currently, after some thought, believe that c) is better from a)
and b). Most daemons work like this. What do you think? If there's
nothing really flawed here and if it can't be done with b) or c) while
fixing SIGSTOP problem I'd use this approach for 0.5.
Cheers,
--
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be
signature.asc
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Otpasswd-talk] Mode of operation discussion,
Tomasz bla Fortuna <=