Subject: Re: open_as vs fuid
To: Warner Losh <imp@village.org>
From: Todd Vierling <tv@wasabisystems.com>
List: tech-kern
Date: 11/05/2000 22:21:47
On Sun, 5 Nov 2000, Warner Losh wrote:
: : See unix(4) and its description of passing fd's via a "cmsghdr".
:
: I'm not sure that I see how this would solve the original problem.
: Namely, how to safely open an arbitrary file with the original user's
: creditials while running at elevated priviledge.
"While running at elevated privilege" should be as short a window as
possible. Programs should, ideally, run at root level as little as
feasible, and give away root permanently after a certain point.
The problem should be approached from a different perspective: if you need
to get some things at elevated privilege, obtain those resources and then
give away the privilege.
If you need repeated access to a file as a particular user ID but want to
avoid opening root holes while the "main" process is running suid, you could
socketpair(), fork(), give up all privilege other than that user's ID, and
the subprocess can then open a specific, restricted subset of files as that
user and pass them to the parent. This is, however, just a blown up version
of the simpler:
: euid = geteuid();
: seteuid(getuid());
: <stuff>
: seteuid(euid);
But this is assuming you want to keep root privilege after opening the file.
`And why is that?'...
--
-- Todd Vierling <tv@wasabisystems.com> * http://www.wasabisystems.com/
-- Speed, stability, security, and support. Wasabi NetBSD: Run with it.