[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: Adding audit messge to newrole
From: Chris Wright <chrisw () sous-sol ! org>
Date: 2005-12-22 4:19:12
Message-ID: 20051222041912.GX20219 () sorel ! sous-sol ! org
[Download RAW message or body]
* Stephen Smalley (sds@tycho.nsa.gov) wrote:
> Yes, but I'm still not sure about the implications. Not all kernel
> operations compare capability sets, e.g. signals only compare the uids
> of the relevant tasks. So if you switch to the caller's uid while still
> possessing all capabilities, you may be opening yourself to manipulation
> by the caller. ptrace does compare the permitted sets for a subset
> relationship. Might still be safer to shed everything you can first,
> and then drop CAP_SETUID last after the setuid.
It's definitely safer. Regarding signals, given it's setuid, you can
still send it signals before it has dropped uid.
> > Any reason we can't move this up earlier in main()?
> >
> > I suppose we could move it above the selinux enabled call.
> >
> > >Ideally, it should be the first thing in main() to ensure that everything
> > >else runs under the caller's uid as before.
> >
> > But after the bindtext call for localization?
>
> I would assume before, as you otherwise risk still having uid 0 and
> capabilities at that point if there is some locale-related exploit.
> Purging the environment on entry to main() wouldn't hurt either.
> http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/
Agreed.
thanks,
-chris
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic