[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Passive versus active translators
|
From: |
Niels Möller |
|
Subject: |
Re: Passive versus active translators |
|
Date: |
24 Jun 2001 23:46:29 +0200 |
Neal H Walfield <neal@cs.uml.edu> writes:
> > > o User ids
> > > - settrans: The euid and egid of the user that lauched
> > > settrans.
> > > - libfshelp: The uid and gid of the node.
> > The user might not always (unlike root) have the ability change
> > the euid and egid of a process to those of an arbitrary node.
> > So the translator has to be started with the priviliges of the
> > user.
>
> Not true; make settrans suid root.
Making random binaries setuid root is usually a bad "solution". A
better argument might be: If the user has the authority to create the
node and/or set a translator for it in the first place, then the user
more-or-less has the ability to create processes with that same
uid/gid [1], so settrans should be able to do that for the user
without any special tricks.
In any case, if you hack settrans to set the working directory and
uid(s) of the active translator, it is probably also a good idea to
add options like --keep-working-directory and --keep-identity to skip
those steps.
So I think your proposal makes sense.
/Niels
[1] If you can't create processes running with my uid by doing a
simple fork/setuid/exec maneuver, but you can attach a translator to
some node that I own and in that way get the system to start a
translator process of your choice running with my id, then that is an
inconsistency in the Hurd's security model. So I hope that is not the
case. Same reasoning should apply to the the node's gid.