Rainer Weikusat
2020-09-11 13:06:56 UTC
Something which just occured to me while coming up with a secure way a
setuid program can use to communicate something to the (unprivileged)
process which executed it:
Due to "Modern !!1"-disease, a setuid program running on Linux cannot
safely use any file descriptors it might have inherited. That's because
file system entities, specifically, /dev/net/tun (at least), exist which
can be opened by any unprivileged user despite said user is not allowed
to perform any operations beyond open/ close on them. This is to be
enforced with capability checks performed at the time of the
operation. And if the file descriptor was inherited by a setuid process,
this process may be able to perform operations the process which
executed it wasn't allowed to perform.
[distant sound of egg smashing into someone's face --- don't believe
your wiser than anybody else as you very probably aren't ...]
setuid program can use to communicate something to the (unprivileged)
process which executed it:
Due to "Modern !!1"-disease, a setuid program running on Linux cannot
safely use any file descriptors it might have inherited. That's because
file system entities, specifically, /dev/net/tun (at least), exist which
can be opened by any unprivileged user despite said user is not allowed
to perform any operations beyond open/ close on them. This is to be
enforced with capability checks performed at the time of the
operation. And if the file descriptor was inherited by a setuid process,
this process may be able to perform operations the process which
executed it wasn't allowed to perform.
[distant sound of egg smashing into someone's face --- don't believe
your wiser than anybody else as you very probably aren't ...]