Re: For example ...

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: hoodr@hoodr.slip.netcom.com: "Re: /dev/tcp, and a LD_LIBRARY_PATH question."
• Previous message: Charles Howes: "Re: Question..."
• Maybe in reply to: *Hobbit*: "For example ..."

	 Hear hear.  Probably a losing battle, but it gets my vote.
	 The *best* way would be for the program to use setruid() to
	 switch euid and ruid at the very beginning of the file and
	 only switch back when it NEEDS the privileges instead of doing
	 everything with privileges and dropping them when the
	 designers thought they didn't need them.

Better, but not ``best''.  Doing too much bookkeeping is a sure-fire
recipe for trouble, and if a program even potentially has privileges
accessible via setreuid it can still fall victim to a buffer overflow
attack a la the Internet Worm.  Or maybe it can be tricked about what
files to open with privileges.

I much prefer a design where privileges are exercised in one spot,
and then irrevocably abandoned.  It's even better if it can do the
privileged stuff before any sort of interactions or complex decisions,
though of course that isn't always possible.  Still, a two-process
design can buy a lot of safety.

• Next message: hoodr@hoodr.slip.netcom.com: "Re: /dev/tcp, and a LD_LIBRARY_PATH question."
• Previous message: Charles Howes: "Re: Question..."
• Maybe in reply to: *Hobbit*: "For example ..."