tech-kern: Re: execvee security

Subject: Re: execvee security
To: None <tech-kern@NetBSD.ORG>
From: Niklas Hallqvist <niklas@appli.se>
List: tech-kern
Date: 11/15/1995 12:51:07
Hmm, the saved-set-id business is slightly more complicated than I
thought.  There are a couple of cases, some trivial, and some harder.
The trivial cases include:

A) the wrapper and the wrappee are both not set-id.
   - No need to set saved-id in execvee
B) the wrapper is set-id and the wrappee is not.
   - No need to set saved-id in execvee 
C) the wrapper is set-id and the wrappee is set-id *of the same type*,
   i.e. the same credentials set.
   - No need to set saved-id in execvee 
D) the wrapper is not set-id but the wrappee is (this of course
   requires a NULL option vector).
   - Standard execve style of setting the saved-id in execvee

That is to say, in all cases where there are only *one or two*
credentials involved.  I certainly hope I haven't messed up theas
*trivial* cases :-)  The hard cases involve:

E) the wrapper is set-id and not just a wrapper, but does set[ug]id
   calls as well. 
F) both the wrapper and wrappee is set-id with *different*
   credentials to be set.

We could close F by requiring the relevant ownership to be alike in
both the wrapper and wrappee if they're both set-id, and return
EACCESS otherwise.  We could also choose to save any of the two
credentials, however I prefer the former.

E could be handled by requiring that the effective ids as well as the
saved ids should match the wrapper's ownership.

These are non-trivial points I think, I really could do with some
guidance.

As long as I do not hear anything I will not do *any* set-id stuff in
execvee, much like MNT_NOSUID, thus requiring all wrappers to set-id
binaries to be installed with correct mode & ownership.  This would be
a very simple rule both to grasp and implement.  I think that the
simplicity won that way more than enough pays for the lost cases we
could handle safely with extra bloat.  I will also not do the
id-saving in execvee, that way satisfying the transparency we want.

Niklas

Niklas Hallqvist       Phone: +46-(0)31-40 75 00  Home: +46-(0)31-41 93 95
Applitron Datasystem   Fax:   +46-(0)31-83 39 50  Home: +46-(0)31-41 93 96
Molndalsvagen 95       Email: niklas@appli.se     GSM:  +46-(0)70-714 10 35
S-412 63  GOTEBORG     WWW:   Here
Sweden		       IRC:   niklas (#NetBSD)    ICB:  niklas (netbsd)