[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: killing setuid programs

From: Samuel Thibault
Subject: Re: killing setuid programs
Date: Tue, 29 Aug 2006 21:10:14 +0200
User-agent: Mutt/1.5.12-2006-07-14

Thomas Bushnell BSG, le Tue 29 Aug 2006 11:58:43 -0700, a écrit :
> Samuel Thibault <samuel.thibault@ens-lyon.org> writes:
> > Roland McGrath, le Mon 28 Aug 2006 17:34:24 -0700, a écrit :
> >> It sounds like you are describing the intended behavior.
> >> You can't send a signal to a setuid program with kill.
> >
> >   For a process to have permission to send a signal to a process designated
> >   by pid, unless the sending process has appropriate privileges, the real or
> >   effective user ID of the sending process shall match the real or saved
> >   set-user-ID of the receiving process.
> >
> > And setuid programs keep the real user ID set to Joe user's, so that Joe
> > user can kill the program he launches.
> This is not quite correct.
> Most setuid programs do *not* keep the real user ID alone; instead,
> the explicitly change it to match the effective user ID.  This is
> important.

Setuid programs themselves might, yes.  But the system mustn't change
it itself (Hurd's proc correctly doesn't).  Because some programs other
than passwd (an X server for instance) need to be killable by the very
user that started it (via xinit).

> If the "passwd" program could be interrupted at will be
> its caller, for example, then it might leave an incompletely written
> and locked password file around.

Agreed.  But posix says (and some setuid programs rely on this) that by
default, a setuid program can be killed by the user who launched it.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]