Simon Ruderich <he29h...@stud.informatik.uni-erlangen.de> writes: > On Fri, Jun 10, 2016 at 10:47:16AM -0700, Russ Allbery wrote:
>> I'm too nervous about the many possible attack approaches to setuid >> binaries to be entirely comfortable with this approach. My tentative >> thought about the right way to approach this was to instead add a >> daemon that listens on a UNIX domain socket for validation requests and >> replies with simple success or failure. That sort of oracle should be >> okay to expose to the rest of the system, and running it as a separate >> daemon will remove the security concerns about setuid. > What possible attack approaches are you thinking of? There are numerous attacks on setuid binaries in general if they access any sort of resource, file descriptors, etc. It's very, very complicated to get all the details right. I don't particularly want to take on the ongoing maintenance burden of a secure setuid program. Using a separate daemon with a simple communication method is the commonly-recommended alternative, since then you only have to harden the interface by which other programs talk to it. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
