Re: Changing uid of another process?

Roger Espel Llima (espel@iAgora.com)
Mon, 13 Jul 1998 11:01:22 -0400

In linux-kernel-digest, bofh@diegeekdie.com wrote:
> On Sat, Jul 11, 1998 at 05:59:33AM +0200, Rik van Riel wrote:
> > Passing credentials by means of a Unix domain socket would
> > open up such an awful lot of security holes that we'd be
> > better of having just PID identification :)
>
> Please tell us about them.
>
> I've been thinking about this and I really can't find out how that is
> supposed to happen. In order to recieve a filedescriptor you have to tell
> recvmsg that you want to recieve one. In order to recieve the credentials
> you would have to say that you want to recieve them. No existing program
> does say so today so they wouldn't be affected.

Right. There wouldn't be any _new_ security holes as long as no code
used the new interface (I'm assuming here that no existing safe code
could be tricked into using it, which seems reasonable).

The questions then are:
1) would this new interface serve some useful purpose, and
2) would it encourage safe programming? (unlike, say, the suid feature)

I'd say "yes" to both: it would be useful in that it would allow having
a centralized authorization daemon that would hand out privileges to
programs, and it would encourage safe programming, in that the privileges
are not there from the beginning.

And, since 2.1 is moving toward capabilities, rather than just passing UID's
this method should also be able to pass capabilities, and that _only_ if
the receiving process has the capability to receive them, and the sending
process has the capability to send them.

-- 
Roger Espel Llima, espel@llaic.u-clermont1.fr
http://www.eleves.ens.fr:8080/home/espel/index.html


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html