[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: establishing the callers PID
|
From: |
Marcus Brinkmann |
|
Subject: |
Re: establishing the callers PID |
|
Date: |
Sun, 12 May 2002 03:16:18 +0200 |
|
User-agent: |
Mutt/1.3.28i |
On Sat, May 11, 2002 at 06:02:18PM -0700, Thomas Bushnell, BSG wrote:
> Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de> writes:
>
> > I think it is absolutely mandatory that we establish the PID in a
> > trustworthy way rather than let the user provide some unique ID on its own.
> > I think there is already a place in the Hurd where we should do that but
> > don't (wasn't that term's term_open_ctty?), and there are all sort of simple
> > attacks possible if we can't trust the PID (eg a monitor server might check
> > for stale advisory locks and kill processes that don't release them timely.
> > In the untrusted model, a user could make this monitor process kill
> > arbitrary processes on the system).
>
> Nope; a malicious filesystem could just return bogus PID values too.
Mmh, we could restrict the monitor to trusted filesystems (eg /).
> I don't think this is a serious security issue, actually. Such a
> monitor depends on an awful lot--it's not a strict Posix program
> already.
I am not really particularly attached to my example, it was just one of the
first that came to my mind. Are you suggesting with "I don't think that
this is a serious security issue" that relying on a PID provided by the user
is good enough in the general case? Or were you only relating this to my
example?
Thanks,
Marcus
--
`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann GNU http://www.gnu.org marcus@gnu.org
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de