Subject: Re: Addition to force open to open only regular files
To: None <tech-kern@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-kern
Date: 11/30/2000 14:22:14
[ On Wednesday, November 29, 2000 at 20:49:13 (+0900), Noriyuki Soda wrote: ]
> Subject: Re: Addition to force open to open only regular files
>
> We don't have to re-writing the syscall interfaces.
> Because saved-id feature already provides the way to resolve
> the $HOSTALIASES problem, if setre{u,g}id(2) is deprecated.
> And because proposals in this thread (including half-open,
> open-only-normal-files, fsetuid, open_as) doesn't provide anything
> other than the features which saved-id already provides.
Well if you ignore the fact that at least some number of
buffer-overflow, printf-format, and similar types of exploits which
introduce new unauthorised code to a set-ID process would be cut off
before they get anywhere near being able to do anything privileged, then
yes, I suppose this is true....
However if you want to provide an os-level, designed, fix for buffer
overflow and such exploits without breaking the ability of a set-ID
programmer to access files as the original real user, then something
like open_as() is absolutely necessary because sete*id() and setre*id()
MUST be disabled in order to successfully implement such a fix.
> (The one who proposed open_as should think that his way of disabling
> seteuid breaks some critical features like "su" command. That is
> completely unacceptable, so the proposal should be avoided.)
What/who the heck are you talking about?
Su only uses setuid(), not seteuid() or setreuid(). I've never
seriously proposed changing setuid(2).
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>