'Re: setuid/setgid binaries contained in the Debian repository.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    Re: setuid/setgid binaries contained in the Debian repository.
From:       Emile van Bergen <emile-deb () evbergen ! xs4all ! nl>
Date:       2003-08-11 16:19:19
[Download RAW message or body]

Hi,

On Mon, Aug 11, 2003 at 10:34:37AM -0400, Matt Zimmerman wrote:

> On Mon, Aug 11, 2003 at 04:03:38PM +0200, Emile van Bergen wrote:
> 
> > On Mon, Aug 11, 2003 at 09:41:49AM -0400, Matt Zimmerman wrote:
> > > It sounds like what would be better would be a sandboxable virtual machine
> > > with its own instruction set, preferably one which could be linked into your
> > > program.  guile can't be easily restricted as far as I know.  java can, but
> > > I don't know of any implementations which can be easily used in this way.
> > 
> > IMHO, you're only thinking that far because for some reason you don't
> > trust the separation between uids offered by standard unix, or that it's
> > impossible to make the transition from one uid to another securely.
> > 
> > Remember, if that cannot be trusted, we're all toast anyway. A *lot* of
> > unix security depends on this.
> 
> No, I am thinking that far because I understand setuid semantics and Unix
> security, and their weaknesses.

I doubt that. There are weaknesses, but they are not fundamental, but
have to do with sloppy code.

The problem is that the wrapper that functions as the call gate is often
not confined to a well controlled image, or makes calls to exploitable
libraries before dropping privileges.

If would be /fundamentally/ impossible to write secure setuid code, IOW
if /no/ setuid program can shield itself from the influence of the
invoking user, then unix misses a very fundamental component to do /any/
userspace authentication.

Secure print queues, mail spools, and yes, highscore files all become
fundamentally impossible. 

A lot of computer security relies on controlled entry points that
elevates privileges. Look at most CPU architectures. Setuid is just
Unix' implementation of the concept. If you say that's fundamentally
insecure, then you're wrong.  It's fundamentally dangerous, but it's
required to build security.

Cheers,


Emile.

-- 
E-Advies - Emile van Bergen           emile@e-advies.nl      
tel. +31 (0)70 3906153           http://www.e-advies.nl    

[Attachment #3 (application/pgp-signature)]
-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic