Date: Mon, 21 Oct 1996 13:06:11 +0100 (BST) From: Jon Ribbens <jon@oaktree.co.uk> To: mycroft@mit.edu (Charles M. Hannum) Cc: tech-userlevel@NetBSD.ORG, freebsd-hackers@freefall.FreeBSD.org Subject: Re: setuid, core dumps, ftpd, and DB Message-ID: <199610211206.NAA22911@black.oaktree.co.uk> In-Reply-To: <el2zq1i5n8o.fsf@zygorthian-space-raiders.MIT.EDU> from "Charles M. Hannum" at Oct 19, 96 11:27:17 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Charles M. Hannum wrote: > * In the particular case of ftpd, if you've logged in as a user other > than root, then your saved, real, and effective uids do not match, so > the previous check we used to use (ruid != svuid || ruid != euid) > would catch this. So, unless you're logged in as root, you'd be hard > pressed to get ftpd to core dump. (except on 1.1, when it's easy) > * Do you prevent core dumps if you've ever had any tainted data, or do > you attempt to decide when you no longer have any? > > * If the latter, how? Always zero buffers (including partial zeroing > of stdio buffers as you read from them!), create new interfaces to the > libraries to inform them which data is secure, etc? Garbage > collection? B-) In the case of ftpd, at least, I think that it should be split into two programs. The front-end program would accept the connection, ask for the user-name and password, setuid and chroot as necessary and then exec another program which would handle the data transfers. This probably isn't a trivial change though ;-). It's something to bear in mind when writing future programs though. (cf 'login') Cheers Jon ____ \ // Jon Ribbens // \// jon@oaktree.co.uk //
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610211206.NAA22911>