Re: libresolv+ bug

[jmm () elegant com (John Macdonald)]

Nick Andrew wrote :
|| Forwarding a message from Thomas Ptacek:
|| > The primary problem, as I see it, is not that SUID programs are being
|| > written poorly, or that the sensitivity of SUID programs is not being
|| > adequately dealt with by the operating system, or the compilers that
|| > produce the executable code; it's that SUID programs, as present in most
|| > modern Unix operating systems, are being written at all.

It is not setuid programs that are at fault, it is
setuid-to-root programs.  The setuid facility is a reasonable
low-level means for building encapsulated security programs, but
instead of designing a program to have its own id too many
people just use root.  (uucp and lp are examples of program
suites that were designed to not need to run as root).

|| The problems are orthogonal. Poorly written programs can still be
|| exploited through buffer overflows, stack corruption and the like.
|| The only difference is - if the program has no additional privileges
|| then the program can do nothing which the intruder couldn't do anyway.
||
|| The exceptions are if the program is running as a different user (e.g.
|| root) or group, or is running on a machine (or in an environment) in
|| which the intruder does not have privilege to execute code.
||
|| However, as soon as _any_ additional privilege is granted, the
|| same old vulnerabilities come back to haunt us. Additional privilege
|| implies that an intruder could abuse that privilege. It hurts so much
|| because "additional privilege" usually means root access.

However, if every different area of privilege runs as a
different account, then these vulnerabilities only expose the
facilties available to the program that has the bug, rather than
exposing the entire system.

--
Daddy didn't obey that traffic signal... | John Macdonald
the green arrow pointing straight up.    |   jmm () Elegant COM
      Katrina Macdonald (4 years old)    |