Subject: Re: Addition to force open to open only regular files
To: Greg Hudson <ghudson@MIT.EDU>
From: Matthew Orgass <darkstar@pgh.net>
List: tech-kern
Date: 11/28/2000 05:51:59
On Tue, 28 Nov 2000, Matthew Orgass wrote:
> There would be a separate version that is privileged. It is not really
> safe to assume that library routines are safe to use with privilege unless
> they were designed that way. They could use environment variables or
> special files or they could call other library functions that do so.
> Requiring a separate function for privileged actions insures that the
> routine knows how to deal with it.
Actually, thinking about this a bit more, it wouldn't be any safer to
use untrusted library routines without privilege with the same or related
private data as trusted routines with privilege. You would really want
separate versions of everything that touches private data. Once you do
that, you can keep the tainted environment because the library knows that
it needs to deal with it.
This suggests a way to implement it: keep the current syscalls as the
protected interface that follows the effective id (which can therefore be
left privileged, removing any problem with binary compatibility or need to
modify start files) and add new real id syscalls. The new model would be
implemented in a separate library that contains the setuid safe code.
This would include an init function that must be called as the first thing
in main() and does something when used on top of the current model or for
one possible libc compatibility method. The library would use separate
syscall stubs, not libc, to ensure that they really are direct syscalls.
Even though it can be implemented on top of the current model (and
probably would be initially), defaulting to real id syscalls would mean
that if a non-setuid program is accedently set setuid, it does not change
behavior (though this isn't a big deal since it probably contains a bug
that can be exploited). It also encourages the notion that setuid
programs are special, saves four syscalls per privileged syscall (id swap
and signals), and makes signals during privileged syscalls work properly.
For libc compatibility the new library could override the standard stubs
to refer to the real id version or the init function could set a variable
that libc checks for each syscall to determine which version to call.
When the libc major is bumped, the standard model compatibility code would
be moved to a separate library that overrides the standard stubs when
linked.
Matthew Orgass
darkstar@pgh.net