Date: Mon, 4 Aug 1997 11:41:13 -0700 (PDT) From: "Eric J. Schwertfeger" <ejs@bfd.com> To: "Thomas H. Ptacek" <tqbf@enteract.com> Cc: security@FreeBSD.ORG Subject: Re: Proposed alternate patch for the rfork vulnerability Message-ID: <Pine.BSF.3.95.970804113330.11862C-100000@harlie.bfd.com> In-Reply-To: <199708041741.MAA04433@enteract.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 4 Aug 1997, Thomas H. Ptacek wrote: > > I'm sorry, Bruce, but having the file descriptor sharing break on > > exec is the ONLY way to have it make sense, let alone be secure. > > The problem is specifically an issue with an interaction between the > rfork() resource sharing semantics and the SUID bit. The problem is > equally well solved by ignoring the SUID bit. I'm not sure I agree. Imagine troubleshooting a problem where if a command is typed in on the command line it works fine, but when your fancy shell tries to execute the same command, it fails because the SUID isn't honored, and the SUID program is too stupid to say "I'm not working because I don't have adequate permission to open my config file" but rather says "can't find config file." Sloppy programming, yes, but all too common in the college-student quick-hack programs (not that all college students can only write hacks, or only college students write hacks). Now, if there's at least an error message spit out, this shouldn't be an issue. Then again, if the calling program doesn't say why the rfork() failed (doesn't check error conditions, etc) then you're back in the same boat.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970804113330.11862C-100000>