tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: /sbin/reboot and secmodel

On Tue, Mar 18, 2008 at 10:47:29AM -0400, der Mouse wrote:
> > Our case discusses giving specific permissions to users, not
> > programs.
> We've discussed that, but we've discussed it as a solution for a
> particular problem, that being certain aspects of rebooting the system.
> I'm not convinced granting privileges to users is a good way to address
> that problem.
> >>> So you make sure only owner/group can execute the program.  Now you
> >>> need to choose what user/group to setuid/setgid it to.  What do you
> >>> choose?  root? :)
> >> Traditionally, yes, because that was the only privilege available.
> >> If you have finer-grained privileges, then set-ID bits are no longer
> >> enough, precisely because they work at too crude a level.
> > But you're not solving the real problem, which is the ability of a
> > user to create a program that ignores SIGTERM, waits for a reboot to
> > undergo, and SIGKILL the reboot process, leveraging the privilege to
> > reboot the system to that of killing arbitrary processes.
> (a) I'm not sure this is a real problem.  Rebooting the system *does*
> involve killing all processes, so I'm not sure "leveraging" is a fair
> term to use here.

I think the concern is being clever about the killing and killing only a 
handful of the processes. i.e. enough to have an impact but not 
necessarily so many as to have the visibility that a real reboot has.

> (b) This is a problem only if privileged processes (ie, those running
> programs marked with whatever set-ID bits turn into under this new
> paradigm) are still subject to things like arbitrary signals fromk the
> users who start them.  I'm inclined to say this is a bad idea, for
> exactly this reason - basically, the same reason you traditionally
> can't kill(2) a set-ID process you started.  Figuring out what this
> restriction should turn into strikes me as hard.

Yeah, that is one good consequence of set-ID. The program is now likely 
shielded from the user that started it.

Take care,


Attachment: pgp0tZ08_uAph.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index