[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: killing setuid programs
From: |
Thomas Bushnell BSG |
Subject: |
Re: killing setuid programs |
Date: |
Tue, 29 Aug 2006 11:58:43 -0700 |
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) |
Samuel Thibault <samuel.thibault@ens-lyon.org> writes:
> Roland McGrath, le Mon 28 Aug 2006 17:34:24 -0700, a écrit :
>> It sounds like you are describing the intended behavior.
>> You can't send a signal to a setuid program with kill.
>
> For a process to have permission to send a signal to a process designated
> by pid, unless the sending process has appropriate privileges, the real or
> effective user ID of the sending process shall match the real or saved
> set-user-ID of the receiving process.
>
> And setuid programs keep the real user ID set to Joe user's, so that Joe
> user can kill the program he launches.
This is not quite correct.
Most setuid programs do *not* keep the real user ID alone; instead,
the explicitly change it to match the effective user ID. This is
important. If the "passwd" program could be interrupted at will be
its caller, for example, then it might leave an incompletely written
and locked password file around.
Thomas