From owner-freebsd-hackers Wed May 24 16: 8:38 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from guardian.sftw.com (guardian.sftw.com [209.157.37.25]) by hub.freebsd.org (Postfix) with ESMTP id 56E4437B975 for ; Wed, 24 May 2000 16:08:35 -0700 (PDT) (envelope-from nsayer@sftw.com) Received: from yoda.sftw.com (yoda.sftw.com [209.157.37.211]) by guardian.sftw.com (8.9.3/8.9.3) with ESMTP id QAA68957; Wed, 24 May 2000 16:08:34 -0700 (PDT) (envelope-from nsayer@sftw.com) Received: from sftw.com (localhost [127.0.0.1]) by yoda.sftw.com (8.9.3/8.9.3) with ESMTP id QAA01517; Wed, 24 May 2000 16:08:33 -0700 (PDT) (envelope-from nsayer@sftw.com) Message-ID: <392C60F1.91EDC30D@sftw.com> Date: Wed, 24 May 2000 16:08:33 -0700 From: Nick Sayer Reply-To: nsayer@freebsd.org X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Jeroen C. van Gelderen" , freebsd-hackers@freebsd.org Subject: Needed: suid library calls (was Re: cvs commit: src/crypto/openssh sshd_config) References: <20000524090528.ECF641CE1@overcee.netplex.com.au> <20000524022840.C79861@freebsd.org> <200005241446.KAA60257@khavrinen.lcs.mit.edu> <20000524075921.A53829@freebsd.org> <200005241709.NAA60822@khavrinen.lcs.mit.edu> <20000524105558.A3407@freebsd.org> <200005241853.OAA61188@khavrinen.lcs.mit.edu> <392C3E40.E0D8974D@vangelderen.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Jeroen C. van Gelderen" wrote: > [...] > > Since user authentication is needed by more than one program it > should live in it's own process. Right now there is code > duplication and it is impossible to change the authentication > policy without messing with sshd. > What we _really_ need is some mechanism to recognize the difference between a user program and a system library, with an eye towards granting privileges to trusted libraries without letting those privileges leak past the library in question. I don't claim that this is an _easy_ thing to do, nor that it is a particularly standard thing to do. But the mechanism of having some sort of daemon or service whose job it is to just do !strcmp(pw->pw_passwd,crypt(foo,pw->pw_passwd)) is, I think, kind of overkill. Perhaps some sort of syscall to change the euid that only works in privileged libraries would work. User authentication is only one example. There are many things that only root can do where letting non-root do the job is not dangerous, but granting non-root permission in a general way is. Another good example is daemons that must bind listening sockets <1024, but don't need root otherwise. The entire binary must be suid up to the bind, at which point the program may renounce the suid bit (setreuid(getuid(),getuid());). Wouldn't it be more secure if a library could selectively grant low ports to _selected_ non-suid programs (perhaps with a config file)? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message