Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 27 Nov 2000 23:24:58 -0700
From:      Warner Losh <imp@village.org>
To:        Alfred Perlstein <bright@wintelcom.net>
Cc:        Robert Watson <rwatson@FreeBSD.org>, Peter Wemm <peter@netplex.com.au>, "Brian F. Feldman" <green@FreeBSD.org>, obrien@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/usr.sbin/inetd builtins.c 
Message-ID:  <200011280624.XAA07988@harmony.village.org>
In-Reply-To: Your message of "Mon, 27 Nov 2000 22:16:57 PST." <20001127221656.Z8051@fw.wintelcom.net> 
References:  <20001127221656.Z8051@fw.wintelcom.net>  <Pine.NEB.3.96L.1001127004343.36087A-100000@fledge.watson.org> <200011280529.WAA07456@harmony.village.org> 

next in thread | previous in thread | raw e-mail | index | archive | help
In message <20001127221656.Z8051@fw.wintelcom.net> Alfred Perlstein writes:
: * Warner Losh <imp@village.org> [001127 21:29] wrote:
: > In message <Pine.NEB.3.96L.1001127004343.36087A-100000@fledge.watson.org> Robert Watson writes:
: > : Presumably the only really correct solution here is to:
: > : 
: > : 1) Set effective process rights to that of the user in question using
: > :    setusercontext()
: > : 2) Open the file using open()
: > : 3) fstat() the file to determine that it is regular and sane
: > : 4) Proceed with operations
: > 
: > I'm not sure I understand the need for #3.  If the effective process
: > rights are what you want, then the kernel will enforce protections at
: > #2.  What's is regular and sane?
: 
: Remeber you're still a system deamon, even if running as a user,
: being extra cautious never hurt anyone...

It depends a lot on what being extra cautious means in this context.
Checking to make sure that it is a regular file seems to be about the
only santiy checking that one should have to do if one has set the
user context correctly.  If not, then you are asking for troubles out
the *** and any sanity checking is going to give you a warm fuzzy but
no real security :-(.

There's been a very long and quite informative discussion about this
sort of thing in the NetBSD security group.  The context is slightly
different (being how does a library routine open a file that is
supplied by the user and not cause bad things to happen when running
setuid), but still relevant.  My take is that you can't without new
system calls, so until they exist, disabling it is the best bet.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011280624.XAA07988>