Date: Mon, 27 Nov 2000 23:24:58 -0700 From: Warner Losh <imp@village.org> To: Alfred Perlstein <bright@wintelcom.net> Cc: Robert Watson <rwatson@FreeBSD.org>, Peter Wemm <peter@netplex.com.au>, "Brian F. Feldman" <green@FreeBSD.org>, obrien@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/inetd builtins.c Message-ID: <200011280624.XAA07988@harmony.village.org> In-Reply-To: Your message of "Mon, 27 Nov 2000 22:16:57 PST." <20001127221656.Z8051@fw.wintelcom.net> References: <20001127221656.Z8051@fw.wintelcom.net> <Pine.NEB.3.96L.1001127004343.36087A-100000@fledge.watson.org> <200011280529.WAA07456@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20001127221656.Z8051@fw.wintelcom.net> Alfred Perlstein writes: : * Warner Losh <imp@village.org> [001127 21:29] wrote: : > In message <Pine.NEB.3.96L.1001127004343.36087A-100000@fledge.watson.org> Robert Watson writes: : > : Presumably the only really correct solution here is to: : > : : > : 1) Set effective process rights to that of the user in question using : > : setusercontext() : > : 2) Open the file using open() : > : 3) fstat() the file to determine that it is regular and sane : > : 4) Proceed with operations : > : > I'm not sure I understand the need for #3. If the effective process : > rights are what you want, then the kernel will enforce protections at : > #2. What's is regular and sane? : : Remeber you're still a system deamon, even if running as a user, : being extra cautious never hurt anyone... It depends a lot on what being extra cautious means in this context. Checking to make sure that it is a regular file seems to be about the only santiy checking that one should have to do if one has set the user context correctly. If not, then you are asking for troubles out the *** and any sanity checking is going to give you a warm fuzzy but no real security :-(. There's been a very long and quite informative discussion about this sort of thing in the NetBSD security group. The context is slightly different (being how does a library routine open a file that is supplied by the user and not cause bad things to happen when running setuid), but still relevant. My take is that you can't without new system calls, so until they exist, disabling it is the best bet. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011280624.XAA07988>