bug-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Many questions about translators


From: Samuel Thibault
Subject: Re: Many questions about translators
Date: Fri, 16 Apr 2010 15:14:54 +0200
User-agent: Mutt/1.5.12-2006-07-14

Carl Fredrik Hammar, le Fri 16 Apr 2010 15:07:22 +0200, a écrit :
> On Fri, Apr 16, 2010 at 01:59:16PM +0200, Samuel Thibault wrote:
> > Carl Fredrik Hammar, le Fri 16 Apr 2010 11:52:04 +0200, a écrit :
> > > >      2. If yes on question 1, would this be insecure? For example, if
> > > >         the user overrides a library used by a setuid program? (Then
> > > >         again, if the program is running as e.g. root by setuid, it
> > > >         wouldn't [at least shouldn't] see the files as the user does)
> > > 
> > > Actually, I'm not entirely sure.
> > 
> > I'd prefer somebody else checks it too, but I believe it works this way:
> > 
> > diskfs_S_file_exec calles fshelp_exec_reauth, which returns secure==1
> > when the ID changes, which makes file_exec add EXEC_SECURE. In exec's
> > do_exec(), one can read
> > 
> >     if (secure || (defaults
> >                && boot->portarray[INIT_PORT_CRDIR] == MACH_PORT_NULL))
> >       use (INIT_PORT_CRDIR, std_ports[INIT_PORT_CRDIR], 1, 0);
> > 
> > which resets the root port to the hurd (or sub-hurd) root.
> 
> Ah, this rings a bell.  I'm a bit surprised that it gets the root directory
> from exec and not the translator though.

That could have been useful in some cases maybe, yes.

BTW, this is why running a setuid program in a chroot escapes the
chroot.

> > > >      4. Is it possible for a translator to provide different views of
> > > >         the node for different users? For example, could each user have
> > > >         their own list of packages they want installed and the HPM
> > > >         translator would use ref-counting to install packages with
> > > >         ref-count > 0, and/or perhaps even make different packages
> > > >         appear installed for different users?
> > > 
> > > This is actually possible, as the translator knows the user of the
> > > client so it can grant or withhold access.  But I suspect that using
> > > it to provide different services to different users would violate many
> > > assumptions made by clients.
> > 
> > Could you try to find examples?  Usually, applications are not meant to
> > be run under several different identities.
> 
> Not simultaneously, but applications can change their identity midway
> with setuid().

That's what I had in mind yes, but I'm still wondering :)

Samuel




reply via email to

[Prev in Thread] Current Thread [Next in Thread]