[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Calls which cross trust boundaries
- From: Ian Jackson <ian chiark greenend org uk>
- To: linux-security redhat com
- Subject: Calls which cross trust boundaries
- Date: Thu, 19 Dec 96 18:00 GMT
Many of the security problems we've had to deal with recently have
been where one program invokes another when no good level of trust
exists between them.
Currently solutions to this requirement are produced on an ad-hoc
basis, usually involving set-id programs (often setuid root),
superuser daemons calling user programs for `upcalls', or both.
There are problems with this approach. Unix processes inherit an
awful lot from their parent, making it difficult even for
security-aware programmers to write safe set-id code. Daemons which
need to do something `as the user' have to be root most of the time,
so that they are able to gain access to the users' accounts.
I have for a while been thinking about a mechanism to help alleviate
this problem. With it it will no longer be necessary to give root
privilege to MTA's, cron and at, lpr (even with delayed copy out of
the user's filespace). Most buffer overrun problems in programs like
`crontab' will no longer be security holes, and almost all of the rest
will only allow access to the subsystem in question and not lead to a
root compromise. CGI programs can easily be made to run as something
other than the webserver user.
My scheme involves a daemon which runs as root, and a setuid-root
client program. The client is invoked when a service of some kind is
required, and arguments to it specify which user is to supply the
service and which service is expected. The client connects to the
daemon using an AF_UNIX socket and passes it the details of the
request. The daemon reads a set of system and per-user configuration
files, decides whether to allow or deny the request, and if the
request is allowed invokes (as the `serving' user) the actual program
which is to provide the service (as specified in the configuration
files).
I/O is handled by setting up pipes which cross the security boundary.
Obviously the client and server need to be written carefully, but at
least the attention can be concentrated there.
I've written a specification for this facility, and am working on an
implementation. The spec can be found at:
ftp://ftp.chiark.greenend.org.uk/users/ijackson/userv/spec.sgml.gz
http://www.chiark.greenend.org.uk/~ijackson/userv/spec.html/
ftp://ftp.chiark.greenend.org.uk/users/ijackson/userv/spec.ps.gz
ftp://ftp.chiark.greenend.org.uk/users/ijackson/userv/spec.text.gz
ftp://ftp.chiark.greenend.org.uk/users/ijackson/userv/spec.textov.gz
Ian.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]