Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)

[Kurt Seifried <kseifried () redhat com>]

On 26/09/14 12:12 PM, Rich Felker wrote:
> On Fri, Sep 26, 2014 at 02:06:21PM +0100, Simon McVittie wrote:
> > > Tell everyone to stop using setuid/setgid now and forever?
>
> Yes!
>
> > Minimizing use of setuid/setgid, and making sure the setuid/setgid
> > things are suitably hardened, is a good idea. However, tools for
> > controlled privilege escalation (sudo, pkexec, Apache suexec) rely on
> > setuid in order to work. There's a reason the feature exists at all.
>
> These could all be done by having the process with root privileges
> inherit them from a daemon parent that already has root, rather than
> requiring the kernel to elevate the privileges of a process via the
> setuid bit. This inherently eliminates all attacker control of the
> process's initial state and limits the input/attack surface to the
> communication channel clients have with the daemon (e.g. a single unix
> socket).

setuid/setgid is not just for root. For example the Postfix server makes
use of various groups and setuid/setgid binaries and directories so that
there are well defined interfaces between Postfix components that run
with different privilege levels.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature