[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Tests running as (real) root?

On 12/10/14 22:29, Svante Signell wrote:
> setuid has worked for ages. For example how many X servers have been
> compromised the last 30 years?

Apart from via <https://bugs.debian.org/689070>,
<https://blogs.oracle.com/alanc/entry/security_hole_in_xorg_6> and

Those all appear to be separate vulnerabilities found within the last
decade that affected Xorg on at least one platform. Others probably
exist but I think 4 are enough to prove my point. If X was always
started as root by *dm and never as an ordinary user by startx/xinit,
and hence didn't need to be setuid, then the first 3 out of those 4
would not have affected X: the first one would have been a non-issue for
X (although still relevant for other things), and the second and third
would not even have existed.

setuid processes have a lot of attack surface: they run in an
environment (environment variables, rlimit, etc.) that is controlled by
their less-privileged caller. To not be exploitable, they need to be
paranoid, and also make sure that either everything in their process
space is designed to be equally paranoid, or they don't call into those
libraries for the first time until they have ensured that their
execution environment is safe.

The fewer setuid processes we can get away with having, the better.


Reply to: