[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: suid binaries on a user mounted file system
From: |
Thomas Bushnell, BSG |
Subject: |
Re: suid binaries on a user mounted file system |
Date: |
07 May 2001 18:39:48 -0700 |
User-agent: |
Gnus/5.0803 (Gnus v5.8.3) Emacs/20.7 |
Roland McGrath <roland@frob.com> writes:
> > It has occured to me: should suid binaries on a user mounted file system
> > be run as the owner of the filesystem?
>
> Yes, probably. Moreover, what it means to get the auth port for running a
> setuid binary should be the very same thing it means to get the auth port
> for running a translator.
No; they should default to nobody if they can't get the assigned IDs.
What should really happen... see below
> I think the reasonable thing to do is something like, try an auth_makeauth
> literally as requested; if that fails, try replacing the ids with the
> filesystem process's or underlying node's ids.
I think this is bad; it assumes that "setuid" means "get as many privs
as possible".
What should happen, of course, is the long-awaited "intersection"
models of getauth, where setuid on a non-root filesystem gives you an
auth port that represents the logical intersection of the two sets of
permissions.