[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Setuid



On Wed, 20 Nov 1996, joost witteveen wrote:

> > Why not use POSIX (or whatever) saved-uids. Switch straight out of root by
> > swapping euid and uid as soon as the program starts, then swap again just
> > before calling svga_init(). This puts the security risks to a minimum.
> 
> Seems interesting. I haven't very much experience with this, and I just
> experimented with it, I think I get what you mean, but I'm not sure
> I'm doing it right. Could you check if this below is actually what you
> intended (and is OK?)
> 
> int main(){
>   setreuid(0,getuid());
             ^

According to the info file for libc, there are two ways of doing it. You
can either used the saved-uid feature (which Linux does support, so it's
best to go for this), or you can swap uid and euid. Try something like:-

int main()
{
	seteuid (getuid ());

	/* ... */

	seteuid (0);
	svga_init();
	/* svga_init has now reset out euid to our uid */
	/* unpriveliged again... */

}

> Also, what would you think -- should I, if I make these changes, make
> setuid default? Cos if I get it right, then, when there is some buffer

Yes. Root euid is only used here to call one function, and is immediately
got rid of by svga_init - the function to get the ioport priveliges. Then
the only security hazard is if someone manages to spoof svgalib (i.e.
LD_PRELOAD=...). I think the only way to stop this is possibly to
statically link svgalib (or there might be a setting for LD, but I don't
know).

-- 
Tom Lees <tom@lpsg.demon.co.uk>
== Linux debian 2.1.10 #14 Tue Nov 19 16:31:18 GMT 1996 i486 ==

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com


Reply to: