On linux, any user may kill setuid program he ran with any signal. I
think that this is dangerous:
Consider user running passwd, waiting to just right moment, and then
killing passwd with SIGKILL (which it can not block). There even was
talk about that on bugtraq: they used it to simulate flood ping
without needing uid==0:
while [ true ]; do killall -14 ping; done
I'm afraid that there are more "creative" way to use this feature.
BSD solved by only allowing you to send certain signals (that
generated from keyboard) to programs with different euid but same real
uid.
I took a look at kernel/signal.c - it is understandable but as this is
really security-sensitive area I'm asking first.
Pavel
-- I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu