Bugtraq mailing list archives

Wiping out setuid programs

From: djb () CR YP TO (D. J. Bernstein)
Date: Wed, 6 Jan 1999 04:07:54 -0000


This is a continuation of the ``Why you should avoid world-writable
directories'' thread.

Why do we create setuid programs? Because we need to let users access
particular files in restricted ways. Some traditional examples:

   program   files
   -------------------------
   at        the at queue
   atq       the at queue
   atrm      the at queue
   chfn      /etc/passwd
   chpass    /etc/passwd
   chsh      /etc/passwd
   crontab   the cron queue
   cu        serial lines
   eject     floppy disks
   fdformat  floppy disks
   lock      /etc/shadow
   lpr       the print queue
   lprm      the print queue
   netstat   kernel memory
   passwd    /etc/shadow
   ps        kernel memory
   rlogin    low TCP ports
   rsh       low TCP ports
   sendmail  the mail queue
   talk      terminals
   tip       serial lines
   wall      terminals
   write     terminals

In every case the file access could be moved to a non-setuid daemon that
accepts UNIX-domain connections from unprivileged user programs. This
would wipe out a huge number of local security holes.

However, in most cases, the daemon needs to know who it's talking to,
for access control or for accounting. That's why I want a getpeeruid()
routine returning the uid that called connect().

It turns out that Linux 2.1 already supports this feature. You can
implement getpeereuid() and getpeeregid() with a few lines on top of
getsockopt() with SO_PEERCRED. Other systems could easily add support.

A few people have commented that getpeeruid() doesn't give per-packet
uids: if a user connects to the socket, and runs a setuid program, then
the program's input and output will be attributed to the user. So what?
The user could just as easily have run "cat | thesetuidprogram | cat",
and he really does own the cat processes.

Anyway, I've set up a web page discussing various IPC mechanisms from
the writing-daemons-that-manage-restricted-files point of view:

   http://pobox.com/~djb/docs/secureipc.html

Please let me know if you have any updates.

---Dan

Current thread:

Tripwire mess.. CyberPsychotic (Jan 04)
- Re: [SECURITY] New versions of netstd fixes buffer overflows Chip Salzenberg (Jan 04)
  - Re: [SECURITY] New versions of netstd fixes buffer overflows Wichert Akkerman (Jan 05)
  - Wiping out setuid programs D. J. Bernstein (Jan 05)
    - Re: Wiping out setuid programs Darren Reed (Jan 06)
    - Re: Wiping out setuid programs Illuminatus Primus (Jan 06)
    - Re: Wiping out setuid programs Thamer Al-Herbish (Jan 06)
  - Checking for most recent Solaris Security Patches spamhater () GRYMOIRE COM (Jan 06)
    - Re: Checking for most recent Solaris Security Patches Ronan Waide (Jan 07)
    - NFR Version 2.0.2 Research Now Available Deborah A. Greenberg (Jan 07)
    - Re: Checking for most recent Solaris Security Patches Paul Brunk (Jan 08)
    - Re: Checking for most recent Solaris Security Patches John D Groenveld (Jan 08)
    - Re: Checking for most recent Solaris Security Patches Jon Ross (Jan 12)
    - Re: Checking for most recent Solaris Security Patches Linux Mailing Lists (Jan 13)

(Thread continues...)