Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)

[mcrosbie () CUP HP COM (Mark Crosbie)]

In message <E0zyhRE-00013T-00 () ursa cus cam ac uk>, Nick Maclaren writes:
> Consider things like job schedulers, printing systems and so on.  User
> A calls one of those, which runs as user B.  It then calls mail - the
> examples were chosen because both of them do precisely that.  Which
> is the user identification that the mailer should use?

In this case, a concept similar to "session IDs" would help: a session ID
records the original identity of the user that initiated this login session.
It is copied across all su calls, and inherited by fork and exec calls.

Thus, the process running as user B, still has an session ID of user A. Hence,
when it calls the mailer, the session ID is still user A, which can be used for
access control checking. Granted a system call may now be needed to
get_session_id() or similar, but if you trust the kernel, you can trust the
session ID.

Session IDs are found in the HPUX kernel (they're called audit ID) and I think
most other kernels support some notion of a session ID inherited across
processes.

Note: a process cannot change its session ID. It is set by the kernel when the
login process execs the process group leader. It never changes from then on
in. It is usually stored in some "trusted database" so that you can go back
over time and map session IDs to actual real people.

Just a thought...
Mark

> Regards,
> Nick Maclaren,
> University of Cambridge Computing Service,
> New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.
> Email:  nmm1 () cam ac uk
> Tel.:  +44 1223 334761    Fax:  +44 1223 334679

--
Mark Crosbie                    http://www.best.com/~mcrosbie
Hewlett-Packard MS 47 LA        mcrosbie () cup hp com
19447 Pruneridge Avenue         (408) 447-2308
Cupertino, CA 95014             (408) 447-6766 FAX