[ On Tuesday, September 28, 2004 at 01:22:17 (-0500), Jason T. Miller wrote: ]
> Subject: Re: cdrecord local root exploit
>
> The notion that a program must be root if an ordinary user doesn't have
> the necessary permissions by default is a dangerous one.

Very well said.

I really liked your way of presenting the idea of a setuid proxy too.
Not very many texts on secure programming techniques are so lucid.

Even those of us who've been trying to practice secure programming
techniques (esp. on unix-like systems, i.e. those using setuid), have
had tremendous difficulty implementing the principle of least privilege.

I can usually get as far as designing my code in the manner of your
outline for something like cdrecord where a program needs certain
privileges to open a device file and where only certain users should be
allowed to run that program.

However with the limitations of file and process ACL technology present
in most unix-like systems following this principle gets a lot more
difficult if, for example, you want to have a second limited group of
users be able to write to a configuration file for the program, but not
make it possible for the program itself to write to any of its
configuration files (e.g. if it were to suffer a buffer overflow and
give its privileges to an attacker). As far as I've ever been able to
figure out it's almost impossible to do this on unix-like systems if you
also need to protect the content of the configuration file from prying
eyes (i.e. not be "other"-readable). It might be possible to do
relatively safely with a pair of communicating front-end/back-end setuid
proxy programs, providied they can have hard-coded group-ID numbers (and
provided the host system implements multi-group membership for
processes). Such complexity though is an enemy of security.

--
Greg A. Woods
Planix, Inc.

<woods (at) planix (dot) com [email concealed]> +1 416 489-5852 x122 http://www.planix.com/

[ reply ]