Subject: Re: Addition to force open to open only regular files
To: None <tech-kern@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-kern
Date: 11/30/2000 15:49:29
[ On Monday, November 27, 2000 at 23:39:59 (-0700), Warner Losh wrote: ]
> Subject: Re: Addition to force open to open only regular files 
>
> Ah, but there are two problems here.  One is the buffer overflow
> problem, and the other is opening the wrong file problem.  You'll
> likely never completely solve the buffer overflow problem short of
> solving buffer overflows (which is an API change for many apis and a
> migration to the new save api, or interesting compiler tricks).

and as soon as you get even close to solving all buffer overflows with
API changes or whatever then some other trick, like printf() format
string abuses, comes along and bites you hard in the bum.

The only real solution is to permanently dump all privileges as soon as
possible, and this is doable today by avoiding the use of seteuid() [and
of course setreuid() too], and by calling setuid(getuid()) as soon as
logically possible.

This of course implies splitting many current monolothic set-ID programs
into smaller parts that would be set-ID and which would free the larger
main program from having to be fully setuid-root, but perhaps could now
get away with just being setgid-some-special-group.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>