[prev in list] [next in list] [prev in thread] [next in thread] 

List:       stunnel-users
Subject:    RE: Changing user ID under Inetd
From:       "Bob Kimmel" <rkimmel () princeton ! edu>
Date:       2001-09-04 19:28:23
[Download RAW message or body]

Hi,

Thanks to all who have responded, and thanks to Craig
Boston for providing the patch.  I'll be looking at
the various proposed solutions.  Thanks again.

BK

Bob Kimmel
Bendheim Center for Finance
Department of Economics
Princeton University
(609)258-0243
rkimmel@princeton.edu


> -----Original Message-----
> From: craig@eikqi.gank.org [mailto:craig@eikqi.gank.org]
> Sent: Tuesday, September 04, 2001 9:14 AM
> To: stunnel-users@mirt.net
> Subject: Re]: Changing user ID under Inetd
>
>
> On Tue, 4 Sep 2001 00:30:44 -0500 Brian Hatch <bri@stunnel.org> wrote:
>
> > I agree that you have a point there.  However I'd rather that
> > if there's a buffer overflow that it is able to compromise a
> > program that is running as some non-root user.  A compromise
> > of stunnel.pem is nothing compared to a compromise of root.
>
> I knew somebody would bring that up -- even thought about mentioning it in
> my original message.  Of course, security is *always* relative.  It's a
> matter if you trust all of qmail not to be compromised leading to a
> disclosure of the private key, versus trusting about twenty lines of
> stunnel to be secure enough not to lead to root compromise.
>
> From an auditing point of view anyway, the first part of stunnel is
> definately easier to make sure that is secure.  While I haven't looked at
> it in great detail, the only thing it does before dropping privs is to
> parse the command line and open the socket.  If you can change
> what goes on
> the command line, you're already root -- by the time a normal
> user connects
> it's already running unprivledged.
>
> Of course don't take my word for it.  There's always a possiblity of some
> hole somewhere and many people (including myself) would prefer to run as
> little as root as possible.  An ideal solution would be for stunnel to run
> as an stunnel user who only has access to the private key files and the
> network, and qmail to run as a qmail user.  But if stunnel's not root it
> can't setuid to somebody else so the only way to do that is suid
> bits which
> can get messy because of euid...
>
> Anyway, I've babbled on long enough :)
>
> > If you want able to be incorporated into Stunnel then it
> > needs to be a public domain or BSD patch, not GPL.
>
> D'oh!  Well it was a bad way to do it anyway so making the patch GPL will
> prevent it from being included ;D
>
> --
> Craig Boston
>
> "Every program has at least one bug and can be shortened by at least one
> instruction -- from which, by induction, one can deduce that every program
> can be reduced to one instruction which doesn't work."
>
>
>

[prev in list] [next in list] [prev in thread] [next in thread]