Subject: Re: open_as vs fuid
To: Todd Vierling <tv@wasabisystems.com>
From: Warner Losh <imp@village.org>
List: tech-kern
Date: 11/05/2000 20:38:59
In message <Pine.NEB.4.21.0011052217160.16520-100000@server.int.duh.org> Todd Vierling writes:
: "While running at elevated privilege" should be as short a window as
: possible. Programs should, ideally, run at root level as little as
: feasible, and give away root permanently after a certain point.
Agreed. However, there are a number of programs that don't do this.
And a number of APIs that didn't think of that in the original design
(the whole $HOSTALIAS issue, which FreeBSD just punts on and says that
setuid root programs don't get to use this functionality).
: The problem should be approached from a different perspective: if you need
: to get some things at elevated privilege, obtain those resources and then
: give away the privilege.
Agreed. But there's no guarantee that they have done this by the time
they do a name lookup. Maybe your scheme could eventually obviate the
need for that, but in the short term a better solution is needed.
: But this is assuming you want to keep root privilege after opening
: the file. `And why is that?'...
Because it is burried down in the library routines. You want to drop
privs, open the file, then raise privs back so that you don't cause
the rest of the program to fail. If privs have already been given
away, then these operations are nops. If they haven't been given
away, then you don't want to change them out from under the program's
feed just for doing a name lookup. That would be an undocumented side
effect.
Warner