Re: passwd entry for uid -1

To: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Cc: Robert Bihlmeyer <robbe@orcus.priv.at>, debian-hurd@lists.debian.org
Subject: Re: passwd entry for uid -1
From: Oystein Viggen <oysteivi@tihlde.org>
Date: 05 Jun 2001 17:57:17 +0200
Message-id: <[🔎] 03itia9axu.fsf@colargol.tihlde.org>
In-reply-to: <[🔎] 20010605173251.A5365@212.23.136.22>
References: <[🔎] 20010602214206.BF65699306@perdition.linnaean.org> <[🔎] 20010603205104.D4223@212.23.136.22> <[🔎] 87wv6s5pj4.fsf@orcus.priv.at> <[🔎] 20010604215026.D1366@212.23.136.22> <[🔎] 87y9r7knna.fsf@orcus.priv.at> <[🔎] 20010605173251.A5365@212.23.136.22>

Quoth Marcus Brinkmann: 

> Will the following scenario work?
> 
> glibc is changed, so that "setuid(-1)" means: Drop all (effective?) user ids.
> Change the nobody entry in the passwd file so that it lists -1 as uid.
> 
> This will make Unix programs which conventionally switch to user nobody very
> safe (because they will run without any privileges).

Would this make it possible to run both the apache-threads and bind as
"nobody", and still have a person who cracks your bind _not_ being able
to fiddle with your apache?  Would services using more than one process
still be able to work normally? 

In Unix/linux, running stuff as nobody is not of much use, as if you run
two or more services as the user nobody, the cracker that gets in through
one of them will have control over all the others.  (and can for example
debug/ptrace() your sshd, dumping all the passwords.)  As Robert said,
"nobody" actually owning stuff is even worse.

If we could get some kind of compartmentalizing for setuid(-1), so that
the apache threads would have access to each other, but not to bind or
the ftpd, and soforth, it could work, but this would again be totally
incompatible with all other systems.

Am I totally off here?  I'm not sure how you would combine "no
privileges" with "actually being able to do something useful".  I'm
quite Unixified in my knowledge, so perhaps it is only a question of
unlearning a bit more  ;)

Oystein
-- 
This message was generated by a horde of attack elephants armed with PRNGs.

Reply to:

Follow-Ups:
- unowned processes and who controls them (was: Re: passwd entry for uid -1
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>

References:
- Re: passwd entry for uid -1
  - From: Roland McGrath <roland@frob.com>
- Re: passwd entry for uid -1
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: passwd entry for uid -1
  - From: Robert Bihlmeyer <robbe@orcus.priv.at>
- Re: passwd entry for uid -1
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: passwd entry for uid -1
  - From: Robert Bihlmeyer <robbe@orcus.priv.at>
- Re: passwd entry for uid -1
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>

Prev by Date: interrupting a process at console
Next by Date: Re: and now ?
Previous by thread: Re: passwd entry for uid -1
Next by thread: unowned processes and who controls them (was: Re: passwd entry for uid -1
Index(es):
- Date
- Thread