From owner-freebsd-hackers Mon Nov 25 07:50:01 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA28180 for hackers-outgoing; Mon, 25 Nov 1996 07:50:01 -0800 (PST) Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA28111 for ; Mon, 25 Nov 1996 07:49:37 -0800 (PST) Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id KAA05926; Mon, 25 Nov 1996 10:48:34 -0500 From: Bill Paul Message-Id: <199611251548.KAA05926@skynet.ctr.columbia.edu> Subject: Re: looking for an idea To: sprice@hiwaay.net (Steve Price) Date: Mon, 25 Nov 1996 10:48:32 -0500 (EST) Cc: hackers@freebsd.org In-Reply-To: from "Steve Price" at Nov 25, 96 08:57:13 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Of all the gin joints in all the towns in all the world, Steve Price had to walk into mine and say: > On Mon, 25 Nov 1996, Bill Paul wrote: > > # I said that I'd already thought of using /proc; I also said that in > # order for that to work, I would need to know B's PID first (or am I > # supposed to just pull $pid out of thin air). Learning the PID of B is > # just as big a problem as learning the UID of B. Also, it doesn't work > # if, for some reason, PROCFS isn't configured in the kernel or /proc > # isn't mounted. > # > > This won't help when PROCFS is not compiled in but... Can't the > library code that B uses to establish the connection with A, do > the getpid() and give that to A? Take the power of specifying the > pid away from the coder and put it in the trusted hands of the > library. Not a perfect solution, but may work as a fallback sol'n. > Steve What you're suggesting is basically security through obscurity. This would only work if we were a commercial OS like Slowlaris where source code is not available and the vendor intentionally fails to document the unerlying interface. Since we provide all source code, there's nothing to stop the user from splitting the RPC library out of the libc source tree (or making his own libc), modifying a few things, and then linking a malicious program that doesn't play by the rules. What I want is a way for keyserv to learn the UID of the caller that can't be spoofed unless an attacker can: - compromise keyserv itself - compromise the kernel - break root through some other means, in which case all bets are off anyway Again, it seems like the SysV IPC system calls are the only ones that do what I want, which is really too bad. You'd think BSD would have something equivalent. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." =============================================================================