bug-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [VULN 4/4] Process auth man-in-the-middle

From: William ML Leslie
Subject: Re: [VULN 4/4] Process auth man-in-the-middle
Date: Fri, 5 Nov 2021 21:18:50 +1100
CC list reduced considering I'm going to ask about a slightly different topic.

This is fantastic research Sergey, this vuln especially so.

On Wed, 3 Nov 2021 at 03:49, Sergey Bugaev <bugaevc@gmail.com> wrote:

To get someone privileged to authenticate to me, I went with the same
exec(/bin/su) trick, which makes the root filesystem reauthenticate all of the
processes file descriptors. If we place our own port among the file descriptors,
we'll get a io_reauthenticate () call from the root filesystem on it, which
we'll forward to the proc server, pretending to reauthenticate our process.


I've been meaning to ask: Why does the hurd attempt to re-authenticate open file descriptors during exec?  It seems to eliminate a rather convenient method of delegation; a process opening a descriptor, forking and executing a child, and dropping privileges, while retaining access to that one resource.  I realise you can still do this by manipulating ports directly (this only applies specifically to the contents of the descriptor table).  Is it required for posix compliance somehow, or was there some other interesting use case?

--
William ML Leslie
reply via email to
[Prev in Thread] Current Thread [Next in Thread]