[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: kdesud and nogroup group setgid ownership

On Thursday 20 May 2010, Roger Leigh wrote:
> This setgid binary is owned by :nogroup, so unless I'm mistaken
> this should be safe: it's not possible for any process with
> gid=nogroup to to tamper with the binary.  This just seems a
> little odd from a security POV, since kdesud is only dropping to
> an unprivileged group; it's not dropping to an unprivileged UID
> such as nobody, and it's not dropping the supplementary groups
> (which includes the old EGID in any case).  i.e. the actual effect
> of the switch of effective group is almost nil, which made me
> wonder if this is what was intended here. (Since the switch
> appears pointless, was something more secure supposed to happen
> instead?)
> But, more generally, should we have files owned by :nogroup on the
> system?
> So there's really two main queries:
> 1) Is the setgid-nogroup actually serving any useful purpose or
>    should it be doing a better job of dropping privs?

The purpose is to prevent other processes from ptracing kdesud (and 
possibly extracting the password in that way). Only root can ptrace 
sgid or suid processes (at least under Linux).

> 2) Should nobody/nogroup owner/group be permitted on the
>    filesystem?

If kdesud does not write any group nobody owned files, it is IMHO fine 
to use group nobody. And if kdesud writes files, it should probably 
just switch back to the old EGID. So I don't see the need for an 
additional group. OTOH ssh-agent uses a dedicated group "ssh". Does 
anybody know if there is a special reason for that?


Reply to: