Would it make sense to add a suidpid() call?
This would be a privileged system call that would allow a non-privileged
program to request an suid change through any IPC mechanism we'd like
to allow it to use.
Imagine running popd, ftpd, login, su, sudo as "nobody" with no
SUID bits and having them talk to some sort of "setuserd" daemon --
passing their request and credentials to them through ???? (some secure IPC).
Then having the "setuserd" (or whatever we'd call it) able to grant that
request.
What would be a suitably secure IPC mechanism? We'd want this setuserd
or reference monitor to be able to "register" itself with the kernel
in someway -- to keep the actually authentication in userland but without
creating a hole whereby some random program could try to "become" the
authorisor.
If we had all that -- could a similar method be used to request access
to other privileged system calls or to other resources. Could we have
a mechanism where the requesting programs essentially says:
I'd like this sort of access (read, write, append, execute)
to this file -- here's a "capability" or "token" for it.
... and have some other process authorize the access and grant the
access.
If we had a few primitives of this sort we might be able to have a
full featured "capabilities" subsystem running under Linux -- in such a
way as to permit many normal programs to run, unmodified, with the help
of some small wrappers.
Is any of this making any sense or am a blathering?
--
Jim Dennis (800) 938-4078 consulting@starshine.org
Proprietor, Starshine Technical Services: http://www.starshine.org
PGP 1024/2ABF03B1 Jim Dennis <jim@starshine.org>
Key fingerprint = 2524E3FEF0922A84 A27BDEDB38EBB95A