[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Adding audit messge to newrole
From:       Chris Wright <chrisw () sous-sol ! org>
Date:       2005-12-22 4:19:12
Message-ID: 20051222041912.GX20219 () sorel ! sous-sol ! org
[Download RAW message or body]

* Stephen Smalley (sds@tycho.nsa.gov) wrote:
> Yes, but I'm still not sure about the implications.  Not all kernel
> operations compare capability sets, e.g. signals only compare the uids
> of the relevant tasks.  So if you switch to the caller's uid while still
> possessing all capabilities, you may be opening yourself to manipulation
> by the caller.  ptrace does compare the permitted sets for a subset
> relationship.  Might still be safer to shed everything you can first,
> and then drop CAP_SETUID last after the setuid.

It's definitely safer.  Regarding signals, given it's setuid, you can
still send it signals before it has dropped uid.

> > Any reason we can't move this up earlier in main()?
> > 
> > I suppose we could move it above the selinux enabled call.
> > 
> > >Ideally, it should be the first thing in main() to ensure that everything 
> > >else runs under the caller's uid as before.
> > 
> > But after the bindtext call for localization?
> 
> I would assume before, as you otherwise risk still having uid 0 and
> capabilities at that point if there is some locale-related exploit.
> Purging the environment on entry to main() wouldn't hurt either.
> http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/

Agreed.

thanks,
-chris

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]