On Tue, Mar 18, 2008 at 10:47:29AM -0400, der Mouse wrote: > > Our case discusses giving specific permissions to users, not > > programs. > > We've discussed that, but we've discussed it as a solution for a > particular problem, that being certain aspects of rebooting the system. > I'm not convinced granting privileges to users is a good way to address > that problem. > > >>> So you make sure only owner/group can execute the program. Now you > >>> need to choose what user/group to setuid/setgid it to. What do you > >>> choose? root? :) > >> Traditionally, yes, because that was the only privilege available. > >> If you have finer-grained privileges, then set-ID bits are no longer > >> enough, precisely because they work at too crude a level. > > But you're not solving the real problem, which is the ability of a > > user to create a program that ignores SIGTERM, waits for a reboot to > > undergo, and SIGKILL the reboot process, leveraging the privilege to > > reboot the system to that of killing arbitrary processes. > > (a) I'm not sure this is a real problem. Rebooting the system *does* > involve killing all processes, so I'm not sure "leveraging" is a fair > term to use here. I think the concern is being clever about the killing and killing only a handful of the processes. i.e. enough to have an impact but not necessarily so many as to have the visibility that a real reboot has. > (b) This is a problem only if privileged processes (ie, those running > programs marked with whatever set-ID bits turn into under this new > paradigm) are still subject to things like arbitrary signals fromk the > users who start them. I'm inclined to say this is a bad idea, for > exactly this reason - basically, the same reason you traditionally > can't kill(2) a set-ID process you started. Figuring out what this > restriction should turn into strikes me as hard. Yeah, that is one good consequence of set-ID. The program is now likely shielded from the user that started it. Take care, Bill
Attachment:
pgp0tZ08_uAph.pgp
Description: PGP signature