Subject: Re: Getting rid of /dev/veriexec
To: Steven M. Bellovin <firstname.lastname@example.org>
From: Elad Efrat <elad@NetBSD.org>
Date: 12/02/2005 16:48:25
Steven M. Bellovin wrote:
> ntpd. ftpd has to run as root part of the time, to bind to port 20.
> apache keeps a portion of itself as root; suexec, if you use it (and
> you probably should), always runs as root.
I'm not familiar with the code of these programs. Are you sure these
are all programs that fork a root-owned process, chroot, and continue
I'd expect ftpd to set-user-id. I think ntpd has a dedicated user and
by default uses it (I remember that from a recent code fix). Apache
forks www-owned processes; I'm not sure if it chroots the master
process. As for suexec I have no idea.
One thing common to the programs mentioned (except for suexec, that
I don't know) is that they all have remotely exploitable root holes.
From a security point of view, they are by no means any model for
doing things right...
> Elad, you've given your reasons why using sysctl isn't a problem. What
> you haven't said clearly enough for me is why it's an advantage.
To the end-user there's not much of a difference. It's simply putting
the interface to the Veriexec tables in a more logical place, to me
The reason Veriexec uses a device file is none of the reasons brought
up, and is actually an historic mistake; it will be unfortunate, to me,
to see it stay.