tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: suenv

On Tue, 23 Oct 2012, Emmanuel Dreyfus wrote:

In that situation, and perhaps in others, it would be nice if the
administrator could configure a trusted environement for setUID
binaries. We would need a way to feed a colon-separated list of
environement variables (example:
LD_PRELOAD=/usr/lib/ I see two way of dealing
with it:
1) lookup in /etc/suenv.d/$progname (probably libc based)
2) use sysctl security.suenv.$progname (kernel based)

I like the second one, which is simple to implement and cannot be messed
up with incorrect file permissions. I would fix my problem like this:
sysctl -w
sysctl -w security.suenv.login=LD_PRELOAD=/usr/lib/


This would require that the entire set of programs be known in advance, in order to create the sysctl(9) nodes. As far as I can tell, usermode code has no mechanism to create new nodes for other suid binaries that you might want to add.

| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:       |
| Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at    |
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at |
| Kernel Developer |                          | pgoyette at  |

Home | Main Index | Thread Index | Old Index