Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 May 2000 16:08:33 -0700
From:      Nick Sayer <nsayer@sftw.com>
To:        "Jeroen C. van Gelderen" <jeroen@vangelderen.org>, freebsd-hackers@freebsd.org
Subject:   Needed: suid library calls (was Re: cvs commit: src/crypto/openssh  sshd_config)
Message-ID:  <392C60F1.91EDC30D@sftw.com>
References:  <sheldonh@uunet.co.za> <20000524090528.ECF641CE1@overcee.netplex.com.au> <20000524022840.C79861@freebsd.org> <200005241446.KAA60257@khavrinen.lcs.mit.edu> <20000524075921.A53829@freebsd.org> <200005241709.NAA60822@khavrinen.lcs.mit.edu> <20000524105558.A3407@freebsd.org> <200005241853.OAA61188@khavrinen.lcs.mit.edu> <392C3E40.E0D8974D@vangelderen.org>

next in thread | previous in thread | raw e-mail | index | archive | help
"Jeroen C. van Gelderen" wrote:

> [...]
>
> Since user authentication is needed by more than one program it
> should live in it's own process. Right now there is code
> duplication and it is impossible to change the authentication
> policy without messing with sshd.
>

What we _really_ need is some mechanism to recognize the difference
between a user program and a system library, with an eye towards
granting privileges to trusted libraries without letting those privileges
leak past the library in question.

I don't claim that this is an _easy_ thing to do, nor that it is a particularly
standard thing to do.

But the mechanism of having some sort of daemon or service whose
job it is to just do !strcmp(pw->pw_passwd,crypt(foo,pw->pw_passwd))
is, I think, kind of overkill.

Perhaps some sort of syscall to change the euid that only works in
privileged libraries would work.

User authentication is only one example. There are many things that
only root can do where letting non-root do the job is not dangerous,
but granting non-root permission in a general way is. Another good
example is daemons that must bind listening sockets <1024, but don't
need root otherwise. The entire binary must be suid up to the bind,
at which point the program may renounce the suid bit (setreuid(getuid(),getuid());).
Wouldn't it be more secure if a library could selectively grant low
ports to _selected_ non-suid programs (perhaps with a config file)?





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?392C60F1.91EDC30D>