Subject: Re: BSD Authentication
To: Peter Seebach <seebs@plethora.net>
From: Steven M. Bellovin <smb@research.att.com>
List: current-users
Date: 09/08/2003 13:47:44
In message <200309081734.h88HY8Ae011260@guild.plethora.net>, Peter Seebach writ
es:
>>Because every BSD auth module runs with root privilege, each new
>>module introduces risks that a compromised module modifies other
>>process's state by ptrace(2).
>
>BSD auth modules run with whatever privileges you choose to give them. If you
>wanted to make one which ran under a non-root user ID, and make it use files
>readable and writable only by that user ID, that would work too. Some can
>run under whatever uid is trying to log in.
>
While in theory you're right, in practice it may not matter. If an
auth module has an exploitable bug, I can probably use it to trick that
auth module into saying "yes" whenever it's invoked. In many
situations, that will let me have the privileges of any user on the
systenm, which is exactly what 'root' is. (Remember when Unix systems
shipped with a user "bin" who owned most of the files in /bin? It's
gone now, for good and sufficient reason.)
--Steve Bellovin, http://www.research.att.com/~smb