[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [future patch] dropping user privileges on demand

peter@wemm.org said this stuff:

> ari wrote:
> > Currently, root is the only user that can actually drop significant
> > privileges, as root is the only user that has access to such functions.
> > This is flawed --- any user should be able to relinquish his privileges,
> > and i've begun a patch to put this into effect.
> > 
> > However, the fact that this is a security-related kernel feature
> > modification warrants peer-review, in both design and implementation.
> > It would be unwise of me to create the patch without consulting such.
> > 
> > The web page that discusses the patch may be found at:
> > 
> >     http://www.episec.com/people/edelkind/patches/kernel/flowpriv/
> > 
> > I welcome any discussion and criticism.
> The biggest risk is that you may have aquired something priviliged in your
> process memory space or file descriptor table.  If you are then fully
> unpriviliged, then things like ptrace(), core dumps etc, become a minefield.
> For example, if a process did a getpwnam() before dropping privs, then
> it may have a cached copy of the secret master.passwd data in memory.
> Anyway, thats something to keep in mind.

True, but you have this problem if you don't drop privileges, as well.
The programmer must account for such things, either way.

However, since even root-owned processes will be able to drop most
system call privileges, programmers must be careful not to lull
themselves into a false sense of security if, for example, dumping core
is still an option.  Dumping core should be disabled with filesystem
writes, however, and ptrace should be included in a class of items to