> In traditional unix, every utility has inheritable set set to FULL by
> default. I do not think it is good idea to change that.
> I have to disagree; making inheritible set to be NULL by default, and
> only allowing someone with privileges to set the inheritable set is
> extremely important.
> Consider that there are many security holes in Unix which are caused by
> the fact that by default processes inherit full privleges. For example,
> consider the old security problem where /usr/ucb/Mail used the "more"
> pager, and you could cause "more" to cause a shell to be executed by
> using the '!' command to more. Since /usr/ucb/Mail used to be setuid
> root, you could get a root shell that way! Oops. This has been fixed
> in modern Unix systems, but shows that you have to be extremely paranoid
> when you write setuid programs, less you fall into similar traps.
Which only means that "more" should have inheritable set equal to
zero. I _still_ do not see why setting inheritable set should be
privileged operation. Secure programs should not execute external
applications of normal users. [Do you aim at /usr/ucb/Mail being
safelly able to execute user-supplied programs? That would be
NICE... but can you make it unix?]
Ok, given example with "more"... I do not think inheritable set of
"more" set to NULL would help: even if it was that way, shell executed
from more would have uid == 0 and no privileges. But what user owns
/etc/passwd? uid == 0. And I've got a shell with... uid == 0. So I do
not need any privilege (it is owned by same uid!) to edit /etc/passwd
and you are screwed; anyway. I could this be solved in "pure
capabilities" system, but I do not see how you want to fit protection
against "more" attack and still be unix.
-- I'm really firstname.lastname@example.org. Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to email@example.com Please read the FAQ at http://www.tux.org/lkml/