Re: About addauth and security.

To: debian-hurd@lists.debian.org
Subject: Re: About addauth and security.
From: Kalle Niemitalo <tosi@ees2.oulu.fi>
Date: Mon, 4 Sep 2000 14:16:32 +0300
Message-id: <[🔎] 20000904141632.40766@stekt34.oulu.fi>
In-reply-to: <[🔎] web-1778666@mail.agtel.net>; from Nalim on Mon, Sep 04, 2000 at 11:12:31AM +0400
References: <[🔎] web-1778666@mail.agtel.net>

On Mon, Sep 04, 2000 at 11:12:31AM +0400, Nalim wrote:
> I've seen addauth program. As I
> understand user can add new privileges
> himself. But it is dangerous for
> security. Am I wrong?

IIRC, if the addauth process doesn't have the privileges you're adding to
another process, it tries to get them from the password server.  For that
to work, you need to know the password of the user whose rights you're
giving to a process.  So no danger there.

I'm more worried about the other program (was it called rmauth?) which
lets you remove rights from processes.  Setuid programs often temporarily
switch to the real UID before accessing user-specified files etc..  Now
what happens if you remove your own UID from the program so that the
switch fails?  Are programs written to notice that?

-- 
To UNSUBSCRIBE, email to debian-hurd-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- About addauth and security.
  - From: "Nalim" <nalim@sendmail.ru>

Prev by Date: About addauth and security.
Next by Date: Re: Problems installing hurd on i386
Previous by thread: About addauth and security.
Next by thread: Re: pmake patch
Index(es):
- Date
- Thread