Re: debian: user-request-daemon (it could solve some problems)

To: martin f krafft <madduck@debian.org>
Cc: debian-mentors@lists.debian.org
Subject: Re: debian: user-request-daemon (it could solve some problems)
From: Curt Manucredo <curtm2@yahoo.de>
Date: Thu, 15 Feb 2007 23:29:36 +0100
Message-id: <[🔎] 20070215232936.01b97576@phaethon>
In-reply-to: <[🔎] 20070215140004.GA21307@lapse.madduck.net>
References: <[🔎] 20070215142826.036370e8@phaethon> <[🔎] 20070215140004.GA21307@lapse.madduck.net>

On Thu, 15 Feb 2007 14:00:04 +0000
martin f krafft <madduck@debian.org> wrote:

> also sprach Curt Manucredo <curtm2@yahoo.de> [2007.02.15.1328 +0000]:
> > request client. since urequestd does not execute any process
> > unless it comes from an urequest-client, all verifications are
> > done in the urequest client program. this includes user and group
> > verification as well as checking if the request even exists.
> 
> This sounds like a bad idea. All I have to do is imposter as
> urequest-client and I can execute anything.
yes this is correct, but it won't be able to call any command as
far as i can see! but since i have discovered that it is not save to
check the gid and uid in the client, i have moved all the testings
out of the client into the daemon. so now i check the uid and gids in
the /proc file system as i already do with the cmdline-file in /proc to
authenticate the request. i moved it into client thinking that it is
save, it is of course not. but why do you say you can execute anything?
the daemon checks the /proc/pid_of_urequest/cmdline and compares it
with the request sent through the fifo-file. it now checks the uid and
gids and in case everything is fine, it executes the rule as long it
exists and the user is allowed to do so. so. are you still sure you can
imposter as the client with this restrictions? if so, i will have
to let it die! ;-(
but well, i have a little problem! why are
there in the /proc/pid_of_urequest/status, in line Uid: and Gid:, four
times the Uid and Gid? why is it so? can you please explain me why.
however. i have reinvented the wheel in a complicated way, but i learn
though much about the system i run.
> 
> What's the added benefit over, say, sudo?
> 
i am not quiet sure about sudo, since it asks from time to time a
password. i use urequestd for example for the battery check daemon so
it does not need to run as root. it does everything as a normal system
user and in case the battery runs low it executes the hibernate
command through a rule with urequestd. this was the very first task of
urequestd. then i use it for wvdial and ifupdown. and only those rules
exist. it will not call anything outside of /etc/urequestd/rules/. 

thank you for the reply
regards

curt
-- 
make sure that anywhere in your mail the string
'debian' appears. otherwise your message will not
end up in my mailbox!

Curt Manucredo
curtm2 at yahoo dot de

 .''`.
: :'  :
`. `'`
  `-
proud debian-user 
http://www.debian.org

http://blueblended.wordpress.com

http://www.keinverlag.at/autoren.php?autor=2311

Reply to:

Follow-Ups:
- Re: debian: user-request-daemon (it could solve some problems)
  - From: Steve Kemp <skx@debian.org>
- Re: debian: user-request-daemon (it could solve some problems)
  - From: Matthew Palmer <mpalmer@debian.org>

References:
- debian: user-request-daemon (it could solve some problems)
  - From: Curt Manucredo <curtm2@yahoo.de>
- Re: debian: user-request-daemon (it could solve some problems)
  - From: martin f krafft <madduck@debian.org>

Prev by Date: new package splix
Next by Date: Re: debian: user-request-daemon (it could solve some problems)
Previous by thread: Re: debian: user-request-daemon (it could solve some problems)
Next by thread: Re: debian: user-request-daemon (it could solve some problems)
Index(es):
- Date
- Thread