From owner-freebsd-hackers  Sun Apr  7 14:10:26 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49])
	by hub.freebsd.org (Postfix) with ESMTP id 156CD37B41A
	for <freebsd-hackers@freebsd.org>; Sun,  7 Apr 2002 14:10:22 -0700 (PDT)
Received: from pool0113.cvx21-bradley.dialup.earthlink.net ([209.179.192.113] helo=mindspring.com)
	by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 16uJuv-0006pS-00; Sun, 07 Apr 2002 14:09:41 -0700
Message-ID: <3CB0B57C.FA15FA25@mindspring.com>
Date: Sun, 07 Apr 2002 14:09:16 -0700
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Jan Grant <Jan.Grant@bristol.ac.uk>
Cc: =?iso-8859-1?Q?Pawe=B3?= Jakub Dawidek <nick@garage.freebsd.pl>,
	freebsd-hackers@freebsd.org
Subject: Re: Patch for setgroups().
References: <Pine.GSO.4.44.0204071517460.19282-100000@mail.ilrt.bris.ac.uk>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Jan Grant wrote:
> On Sun, 7 Apr 2002, [ISO-8859-2] Pawe=B3 Jakub Dawidek wrote:
> > What do You think about this patch?
> > This can help non-root applications like apache etc.
> > For example when I got access to many files from many groups when att=
acker
> > will exploit this application he got access to all files, coz there i=
s no
> > way to setgroups() if I am non-root and maybe only demon needs access=
 to all
> > files - child needs only access to files owned by one group.
> =

> This breaks the (rare) case of using group membership for negative
> access control.

Specifically "exclusion groups", e.g.:

	# don't let bob use "ls"...
	cat >> /etc/group
	nols:*:200:bob
	chgrp nols /bin/ls
	chmod g=3D /bin/ls

This works because permissions are checked in owner/group/world
order, and because you cannot drop group membership, if you are
not the owner (root), then membership in the group "nols" denies
you access to the file, even though world access otherwise
remains.

There are also programs that explicitly deny access based on
group membership, by internally asking to see what groups you
are in, and denying access on that basis.

This is how a number of "games wrappers" and similar programs
function.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message