Date: Wed, 18 Jun 1997 16:23:10 +1000 (EST) From: Ada T Lim <ada@not-enough.bandwidth.org> To: hackers@FreeBSD.ORG Subject: Re: hackers-digest V3 #242 Message-ID: <199706180623.QAA03038@polya.blah.org> In-Reply-To: <199706172053.NAA06861@hub.freebsd.org> from "owner-hackers-digest@FreeBSD.ORG" at "Jun 17, 97 01:53:07 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > This in turn requires the kernel have the mechanism to access the
> > credential store, which may equate to bundling every possible password
> > access mechanism with the kernel; yeah, let's suck in all the Kerberos
> > stuff, NIS, Radius, S/Key, ssh, Tacacs, SecurID, the Captain Midnight
> > Secret Decoder Wheel algorithm, and so on.
no it doesnt; all it needs is a reworked setuid() -
setuid(id) {
if(id !=0 && getuid()==trusteduser) uid = id;
etc. (I know this isn't right, but hopefully you get the idea.)
> > You'll note that there's no actual attempt to justify why
> > authentication by root and subsequent sacrifice of priveledge is
> > actually _bad_.
Oh, why don't you make _every_ one of your programs setuid, and then put
in a seteuid() call somewhere? because holes exist.
> > Alternatively, consider using the PAM framework, which is compact,
> > open to analysis, and once analysed, every program that uses it is
> > much simpler to analyse in itself. If PAM interests you, see the
> > references off my homepage (http://www.smith.net.au/~mike).
>
> As shared library(s), it still appears to encourage granting root to a
> program as trivial a POP3 server which only needs normal user access.
> This temporary root access is, to me, inherently more dangerous than
> taking a program from no access to the specific user id without a stop
> at the higher priv level.
I've already been flamed by deraadt for this, so I _know_ I'm onto a good thing
:)
Anyhow, what would be a good way to implement 'setuid libraries'? (The idea
being that all function calls to this library have an implicit setuid(0) first
and a setuid() back afterwards.
This would mean that things like ptyopen() etc could be used in user-programs
without needing to be root.
Ada
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706180623.QAA03038>