Bugtraq mailing list archives

Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)

From: nmm1 () CUS CAM AC UK (Nick Maclaren)
Date: Fri, 8 Jan 1999 19:19:16 +0100


Darren Reed <avalon () COOMBS ANU EDU AU> wrote:

On Tue, 5 Jan 1999, D. J. Bernstein wrote:

Venema further claims that ``a set-uid posting program cannot guarantee
user identification.'' That claim is false. The user id is provided by
the standard UNIX getuid() system call.


Just to be pedantic, Venema is correct.  "User identification" is a lot
more than just a getuid() system call as I'm sure you would be well aware.

If I find some other avenue to obtain a different uid to the one I normally
use, i.e. exploit some other setuid-root program, getuid() will (if I've
done my homework) thereafter fail to identity correctly which user is
sending the email.


This isn't pedantry - it is a real problem.

Consider things like job schedulers, printing systems and so on.  User
A calls one of those, which runs as user B.  It then calls mail - the
examples were chosen because both of them do precisely that.  Which
is the user identification that the mailer should use?

There are many possible 'solutions', but none are satisfactory.  For
example:

    1) Trust the agent to identify the user invoking it.  Well, that
isn't very nice - I don't have to say why, I assume?
    2) Identify the agent, and assume that it keeps records.  Not nice,
either, and it prevents proper resource control and accounting.
    3) Identify both and control and account by the pair.  A pity about
Unix file ownerships, especially as we add extra levels.

When all email is cryptographically signed (and signitures enforced)
with keys that are not trivial to guess and aren't easily forged, then
we will have a better chance of being assured of a "user's identity".


Over my dead body.  In the UK, the government insists on choosing the
"trusted third parties" to hold copies of the private keys :-(

Be that as it may, even perfectly secure signatures don't solve the
problem completely, either, because the intermediate agent can easily
use one user's signature and identification for another's request.

So we come back to the necessity to trust the agent, which isn't
what we want to do.  Or we can insist that any extra information in
the message is identified to the agent.  Not nice, either way.


Regards,
Nick Maclaren,
University of Cambridge Computing Service,
New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.
Email:  nmm1 () cam ac uk
Tel.:  +44 1223 334761    Fax:  +44 1223 334679

Current thread:

Re: Anonymous Qmail Denial of Service D. J. Bernstein (Jan 05)
- setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Ian R. Justman (Jan 06)
  - Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Darren Reed (Jan 08)
    - Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Nick Maclaren (Jan 08)
    - Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Mark Crosbie (Jan 09)
    - Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Pete Kruckenberg (Jan 09)
    - Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Thamer Al-Herbish (Jan 09)
    - Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Len Budney (Jan 08)
    - Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Thamer Al-Herbish (Jan 08)
    - Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Kragen Sitaker (Jan 09)
- really silly ff.core exploit for Solaris John McDonald (Jan 07)
  - ff.core exploit on Solaris (2.)7 Daniel J. Frasnelli (Jan 08)
    - Re: ff.core exploit on Solaris (2.)7 Casper Dik (Jan 15)
  - L0pht tmp tool and (mini) Advisory Dr. Mudge (Jan 08)

(Thread continues...)