Re: root daemon dropping privileges temporarily?
From: Jem Berkes (jb_at_users.pc9.org)
Date: 05/26/04
- Previous message: Fred Ma: "gdb 6.1 test failures, OK?"
- In reply to: Jem Berkes: "root daemon dropping privileges temporarily?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 26 May 2004 16:16:55 GMT
> Currently, the program is launched as root and does setuid() after it
> authenticates the connecting user. My concern is vulnerability while
> the software is running as root.
>
> Is it possible/portable to do setuid() to something like nobody and
> then later do a setuid() back up to root? Or should I be using
> seteuid() to set the effective user ID?
I ran into a different scheme, this one separates privileges and seems
common. Although it's still not perfect (since the processes are related) I
think it should be pretty good, unless anyone knows otherwise?
1) fork() and setgid, setuid nobody. Unprivileged child "faces the world"
2) parent retains root privileges, and code now ONLY does authentication
3) unprivileged child can now query the privileged parent only using IPC
Thus if the network-facing child becomes compromised, the attacker is stuck
at nobody's privileges, though they can still craft dangerous data to send
to the root authenticator process via IPC.
I think the only way the parent (root, authenticator) can be compromised is
if it is vulnerable to maliciously crafted IPC queries. But still much
better off then a root-privilege process doing socket I/O with the world.
-- Jem Berkes http://www.sysdesign.ca/
- Previous message: Fred Ma: "gdb 6.1 test failures, OK?"
- In reply to: Jem Berkes: "root daemon dropping privileges temporarily?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
