Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Wiping out setuid programs

From: shadows () WHITEFANG COM (Thamer Al-Herbish)
Date: Wed, 6 Jan 1999 23:53:01 -0800

On Wed, 6 Jan 1999, D. J. Bernstein wrote:


In every case the file access could be moved to a non-setuid daemon that
accepts UNIX-domain connections from unprivileged user programs. This
would wipe out a huge number of local security holes.


I really think this is overrated. All a client-server model would do
is eliminate process attribute inheritance. It would prevent
environment variables from being inherited, file descriptors etc.

Sure, these do cause security holes, but let's not forget the
plethora of other holes caused by buffer overruns, race conditions
et al. which occur regardless of attribute inheritance.


   http://pobox.com/~djb/docs/secureipc.html


Add SCM_CREDS on FreeBSD and BSD/OS to the list.

Here's your problem, you already have:

Linux: SO_PEERCRED
FreeBSD: SCM_CREDS
BSD/OS: SCM_CREDS (different from FreeBSD)
NetBSD: LOCAL_CREDS
Solaris: Doors

Too many, making life very unportable. Is there a mention of any
of these in any standard?

Another way, that Thomas Ptacek had mentioned this a while back on
comp.security.unix, includes passing a file descriptor that is only
readable by its owner (SCM_RIGHTS). An fstat() will give you the
owner of the file, and thus you'd know the peer's effective user ID.

Here's another question, apart from Bernstein's paper, has anyone
written formal papers on this technique? I'm looking to reference
some papers for some writing.

--
Thamer Al-Herbish                     PGP public key:
shadows () whitefang com                 http://www.whitefang.com/pgpkey.txt
[ Maintainer of the Raw IP Networking FAQ http://www.whitefang.com/rin/ ]
Previous By Date Next
Previous By Thread Next

Current thread: