From owner-cvs-all  Mon Nov 27 22:25: 9 2000
Delivered-To: cvs-all@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id C81ED37B402; Mon, 27 Nov 2000 22:25:00 -0800 (PST)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.11.0/8.11.0) with ESMTP id eAS6OxQ59413;
	Mon, 27 Nov 2000 23:24:59 -0700 (MST)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id XAA07988; Mon, 27 Nov 2000 23:24:58 -0700 (MST)
Message-Id: <200011280624.XAA07988@harmony.village.org>
To: Alfred Perlstein <bright@wintelcom.net>
Subject: Re: cvs commit: src/usr.sbin/inetd builtins.c 
Cc: Robert Watson <rwatson@FreeBSD.org>,
	Peter Wemm <peter@netplex.com.au>,
	"Brian F. Feldman" <green@FreeBSD.org>, obrien@FreeBSD.org,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
In-reply-to: Your message of "Mon, 27 Nov 2000 22:16:57 PST."
		<20001127221656.Z8051@fw.wintelcom.net> 
References: <20001127221656.Z8051@fw.wintelcom.net>  <Pine.NEB.3.96L.1001127004343.36087A-100000@fledge.watson.org> <200011280529.WAA07456@harmony.village.org> 
Date: Mon, 27 Nov 2000 23:24:58 -0700
From: Warner Losh <imp@village.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In message <20001127221656.Z8051@fw.wintelcom.net> Alfred Perlstein writes:
: * Warner Losh <imp@village.org> [001127 21:29] wrote:
: > In message <Pine.NEB.3.96L.1001127004343.36087A-100000@fledge.watson.org> Robert Watson writes:
: > : Presumably the only really correct solution here is to:
: > : 
: > : 1) Set effective process rights to that of the user in question using
: > :    setusercontext()
: > : 2) Open the file using open()
: > : 3) fstat() the file to determine that it is regular and sane
: > : 4) Proceed with operations
: > 
: > I'm not sure I understand the need for #3.  If the effective process
: > rights are what you want, then the kernel will enforce protections at
: > #2.  What's is regular and sane?
: 
: Remeber you're still a system deamon, even if running as a user,
: being extra cautious never hurt anyone...

It depends a lot on what being extra cautious means in this context.
Checking to make sure that it is a regular file seems to be about the
only santiy checking that one should have to do if one has set the
user context correctly.  If not, then you are asking for troubles out
the *** and any sanity checking is going to give you a warm fuzzy but
no real security :-(.

There's been a very long and quite informative discussion about this
sort of thing in the NetBSD security group.  The context is slightly
different (being how does a library routine open a file that is
supplied by the user and not cause bad things to happen when running
setuid), but still relevant.  My take is that you can't without new
system calls, so until they exist, disabling it is the best bet.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message