From owner-freebsd-hackers@FreeBSD.ORG  Wed Aug 20 22:44:03 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 16E7516A4BF
	for <freebsd-hackers@freebsd.org>;
	Wed, 20 Aug 2003 22:44:03 -0700 (PDT)
Received: from canning.wemm.org (canning.wemm.org [192.203.228.65])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AD3BA43FDD
	for <freebsd-hackers@freebsd.org>;
	Wed, 20 Aug 2003 22:44:02 -0700 (PDT)	(envelope-from peter@wemm.org)
Received: from wemm.org (localhost [127.0.0.1])
	by canning.wemm.org (Postfix) with ESMTP
	id 8B9582A7EA; Wed, 20 Aug 2003 22:44:02 -0700 (PDT)
	(envelope-from peter@wemm.org)
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: ari <edelkind-freebsd-hackers@episec.com>
In-Reply-To: <20030817181315.GL55671@episec.com> 
Date: Wed, 20 Aug 2003 22:44:02 -0700
From: Peter Wemm <peter@wemm.org>
Message-Id: <20030821054402.8B9582A7EA@canning.wemm.org>
cc: freebsd-hackers@freebsd.org
Subject: Re: [future patch] dropping user privileges on demand 
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Aug 2003 05:44:03 -0000

ari wrote:
> Currently, root is the only user that can actually drop significant
> privileges, as root is the only user that has access to such functions.
> This is flawed --- any user should be able to relinquish his privileges,
> and i've begun a patch to put this into effect.
> 
> However, the fact that this is a security-related kernel feature
> modification warrants peer-review, in both design and implementation.
> It would be unwise of me to create the patch without consulting such.
> 
> The web page that discusses the patch may be found at:
> 
>     http://www.episec.com/people/edelkind/patches/kernel/flowpriv/
> 
> I welcome any discussion and criticism.

The biggest risk is that you may have aquired something priviliged in your
process memory space or file descriptor table.  If you are then fully
unpriviliged, then things like ptrace(), core dumps etc, become a minefield.
For example, if a process did a getpwnam() before dropping privs, then
it may have a cached copy of the secret master.passwd data in memory.

Anyway, thats something to keep in mind.

Cheers,
-Peter
--
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com
"All of this is for nothing if we don't go to the stars" - JMS/B5