Re: Why wrapping PIDs is evil [was 32bit]

From: Horst von Brand (vonbrand@sleipnir.valparaiso.cl)
Date: Sun Jan 16 2000 - 09:54:23 EST


Pavel Machek <pavel@suse.cz> said:
> In-Reply-To: <E128mRh-0007lU-00@the-village.bc.nu>; from Alan Cox on Thu, Jan 1
> ***3, 2000 at 03:45:56PM +0000

[...]

> > > b) The reuse of pids causes security problems.

> > No.. people cause security problems.

> Sorry, alan. No. Unix is broken with this part.

Sorry, Pavel. No system can be secure if it allows you to do something
interesting. If you screw up and misuse its features, it your fault.

I wonder what security risks you see in reusing pids. The idea of
generating temporary files using the pid is braindamaged, even gcc (where
there are no big security problems unless your system is _very_ broken wrt
/tmp) doesn't use it anymore (take a look at the wounderful names it uses
now for temporary files).

> You want to kill this emacs:
>
> pavel 209 1.6 5.2 5468 3212 3 S 22:03 0:00 emacs /tmp/mutt-bug-
> 2
>
> How do you do it?
>
>
> kill -9 209?
>
> But that's wrong. Pavel may have seen you are going to kill his emacs
> and may have wrapped pids, killed his emacs himself, and you are now
> killing _your_ netscape you've just ran.

So what? Pavel can shoot himself in the foot, big deal. root can do
incredibly stupid things like doing a ps(1), run a few random programs and
then kill(1) what ps(1) told half an hour ago. Right, there is a race
there, and root might end up killing the wrong program. So root has to be
careful, and not go on a killing spree, no change there.

> I'm currently searching for ways for process to be only able to kill
> processes it spawned (it is part of sandbox). There's no way to do it
> safely. Every time you have

Then run each sandbox with a different UID. That is the standard way of
limiting access in Unix.

-- 
Horst von Brand                             vonbrand@sleipnir.valparaiso.cl
Casilla 9G, Viņa del Mar, Chile                               +56 32 672616

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Jan 23 2000 - 21:00:13 EST