On Tue, May 02, 2000 at 03:02:06PM -0700, Linda Walsh wrote:
> It is fairly trivial to write a suid program that somehow gives one a
> shell as another password -- no
> login or 'su' or password required. In fact I may *want* something like
> sendmail to run as my userid when it runs my mail filter, but that doesn't
> mean it really is ME running the the program -- it was run by a deamon.
> Same thing with an "suid" program. It could change my real and effective to
> something else. That doesn't mean I authenticated as that person.
So don't permit anything other than login to have CAP_SETRUID or some such.
sendmail should surely only ever need to set the *effective* uid to e.g. "law",
as long as it removes a CAP_SETEUID before running the filter.
In practice, it may be that the luid stuff may be the only way to avoid
rewriting lots of bits of userspace, and reprogr^Wre-educating lots of
sysadmins.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:13 EST