[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: the watchdog of login program

From: Thomas Bushnell BSG
Subject: Re: the watchdog of login program
Date: 30 Aug 2004 18:40:56 -0700
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3

Roland McGrath <roland@frob.com> writes:

> > More exactly, you mean before calling proc_setowner.
> Yes.
> > We should be more careful here.  
> How?

As I described below. :)

> > For all we know, we have big giant hairy port leaks in the startup code
> > for the Hurd, and every process in the system is running as root.
> Not if there are EXEC_NEWTASK execs involved.  

Ok, that's true, EXEC_NEWTASK is good enough for the general case.

> Like I said, there might be leaks in login I haven't though of.  Using
> EXEC_NEWTASK is the way to be sure none survive, but there will be a window
> between proc_setowner and the exec completing where the target owner can
> hijack the login process and exploit any leaks.  We can avoid that by using
> EXEC_SECURE instead, and just not calling proc_setowner at all.  Then exec
> will use proc_setowner on the fresh task's proc port after proc_reassign.

Ah, good idea.  I think EXEC_SECURE is perhaps the best solution

> That is nuts.  You don't know what you are talking about proc and
> startup programs for.  There is no problem with them.  We are
> talking about login here.

Given the normal use of EXEC_NEWTASK, you are right.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]