Subject: Re: re-reading /etc/resolv.conf on change
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Greg A. Woods <woods@weird.com>
List: tech-userlevel
Date: 01/01/2004 20:00:43
[ On Thursday, January 1, 2004 at 16:55:45 (-0500), der Mouse wrote: ]
> Subject: Re: re-reading /etc/resolv.conf on change
>
> What perceived problem are you trying to fix here?

The never ending _real_ problems making the task of secure programming
even more difficult and unpredictable than it already is.

Set-ID programs probably shouldn't use libc for safety's sake, but most
do and as a result if "we" are to be responsible system builders then
the code we put into libc _MUST_ be designed, written, and tested with
all the care and attention to security that _should_ go into every
program that runs with privileges and especially those that gain their
privileges by way of the set-ID mechanism.

Adding support for a new environment variable to library code commonly
used by privileged and set-ID programs, especially a variable that would
specify a pathname to a file that would be opened and read, is a VERY
bad design decision and one that introduces far too much more
unpredictability to the task faced by programmers who might try to write
safe and secure and portable code.

> I still can't see why not.  Anyone who can restart a given daemon can
> also start a different implementation that contains a resolver with
> whatever semantics are desired.

IFF they have the privileges necessary to do so.

Even so as a systems programmer I find it very difficult to ever trust
the environment varibles of even the privileged user.  Too many "su"
implementations allow too many environment settings to be inherited
without careful and complete validation; and very few administrators
really treat their personal accounts with the same care they treat the
root account with yet the risks to the system are very nearly the same
for both (especially given these lax "su" implementations).

We are essentially revisiting here the discussion about $HOSTALIASES and
$TZ.  We still haven't really solved the problem completely for those
variables and here we are contemplating addition of yet another similar
feature.

There are those who suggest the kernel should simply clear the
environment completely before starting any set-ID executable and I'm not
very far away from agreeing whole-heartedly with them.  Sadly this
wouldn't alleviate any of the confusion and complaints of end users such
as that/those which sparked off the $HOSTALIASES discussion.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>