On 12/10/14 22:29, Svante Signell wrote: > setuid has worked for ages. For example how many X servers have been > compromised the last 30 years?
Apart from via <https://bugs.debian.org/689070>, <http://xforce.iss.net/xforce/xfdb/29832>, <https://blogs.oracle.com/alanc/entry/security_hole_in_xorg_6> and <http://lwn.net/Articles/579639/>? Those all appear to be separate vulnerabilities found within the last decade that affected Xorg on at least one platform. Others probably exist but I think 4 are enough to prove my point. If X was always started as root by *dm and never as an ordinary user by startx/xinit, and hence didn't need to be setuid, then the first 3 out of those 4 would not have affected X: the first one would have been a non-issue for X (although still relevant for other things), and the second and third would not even have existed. setuid processes have a lot of attack surface: they run in an environment (environment variables, rlimit, etc.) that is controlled by their less-privileged caller. To not be exploitable, they need to be paranoid, and also make sure that either everything in their process space is designed to be equally paranoid, or they don't call into those libraries for the first time until they have ensured that their execution environment is safe. The fewer setuid processes we can get away with having, the better. S -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/543b01a5.5050...@debian.org
