[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: killing setuid programs
From: |
Samuel Thibault |
Subject: |
Re: killing setuid programs |
Date: |
Tue, 29 Aug 2006 21:10:14 +0200 |
User-agent: |
Mutt/1.5.12-2006-07-14 |
Thomas Bushnell BSG, le Tue 29 Aug 2006 11:58:43 -0700, a écrit :
> Samuel Thibault <samuel.thibault@ens-lyon.org> writes:
>
> > Roland McGrath, le Mon 28 Aug 2006 17:34:24 -0700, a écrit :
> >> It sounds like you are describing the intended behavior.
> >> You can't send a signal to a setuid program with kill.
> >
> > For a process to have permission to send a signal to a process designated
> > by pid, unless the sending process has appropriate privileges, the real or
> > effective user ID of the sending process shall match the real or saved
> > set-user-ID of the receiving process.
> >
> > And setuid programs keep the real user ID set to Joe user's, so that Joe
> > user can kill the program he launches.
>
> This is not quite correct.
>
> Most setuid programs do *not* keep the real user ID alone; instead,
> the explicitly change it to match the effective user ID. This is
> important.
Setuid programs themselves might, yes. But the system mustn't change
it itself (Hurd's proc correctly doesn't). Because some programs other
than passwd (an X server for instance) need to be killable by the very
user that started it (via xinit).
> If the "passwd" program could be interrupted at will be
> its caller, for example, then it might leave an incompletely written
> and locked password file around.
Agreed. But posix says (and some setuid programs rely on this) that by
default, a setuid program can be killed by the user who launched it.
Samuel