Re: [PATCH 3/3] Use reverse authenticating ioctl-handler protocal

bug-hurd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/3] Use reverse authenticating ioctl-handler protocal

From:	olafBuddenhagen
Subject:	Re: [PATCH 3/3] Use reverse authenticating ioctl-handler protocal
Date:	Mon, 31 Aug 2009 19:10:34 +0200
User-agent:	Mutt/1.5.19 (2009-01-05)

Hi,

On Wed, Aug 26, 2009 at 04:45:39PM +0200, Carl Fredrik Hammar wrote:

> +  err = EACCES;
> +  euid = geteuid ();
> +  for (i = 0; i < euids_len; i++)
> +    if (euids[i] == euid || euids[i] == 0)
> +      err = 0;

This is not sufficient: privileges of the module are not escalated only
if the sender has access to *all* our user IDs, not just the current
one.

Also, there is no point going on with the loop once you found what you
are looking for :-)

BTW, I wonder whether it's necessary to special-case root on the
receiver's side: in theory, a sender having root privileges can
fabricate any IDs the receiver wants to see. Not sure whether this
approach is preferable though: it is more flexible -- but also requires
a more complicated protocol, and I think it's less consistent with the
root handling in other parts of the Hurd...

-antrik-

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 1/2] Add ioctl-handler interface, (continued)
- [PATCH 1/2] Add ioctl-handler interface, Carl Fredrik Hammar, 2009/08/26
  - [PATCH 2/2] Reverse authenticating ioctl-handler protocol, Carl Fredrik Hammar, 2009/08/26
    - Re: [PATCH 2/2] Reverse authenticating ioctl-handler protocol, olafBuddenhagen, 2009/08/31
  - Re: [PATCH 1/2] Add ioctl-handler interface, olafBuddenhagen, 2009/08/31
- [PATCH 0/3] Use server provided ioctl-handler, Carl Fredrik Hammar, 2009/08/26
  - [PATCH 1/3] Reload fd ioctl handler on each call to ioctl, Carl Fredrik Hammar, 2009/08/26
    - Re: [PATCH 1/3] Reload fd ioctl handler on each call to ioctl, olafBuddenhagen, 2009/08/31
  - [PATCH 2/3] Save handlers between calls to ioctl, Carl Fredrik Hammar, 2009/08/26
    - Re: [PATCH 2/3] Save handlers between calls to ioctl, olafBuddenhagen, 2009/08/31
  - [PATCH 3/3] Use reverse authenticating ioctl-handler protocal, Carl Fredrik Hammar, 2009/08/26
    - Re: [PATCH 3/3] Use reverse authenticating ioctl-handler protocal, olafBuddenhagen <=
  - [PATCH 0/3] Test server provided ioctl-handler, Carl Fredrik Hammar, 2009/08/26
    - [PATCH 3/3] Test reverse authenticating ioctl-handler protocol, Carl Fredrik Hammar, 2009/08/26
    - Re: [PATCH 3/3] Test reverse authenticating ioctl-handler protocol, olafBuddenhagen, 2009/08/31
    - [PATCH 1/3] Test server provided ioctl-handler, Carl Fredrik Hammar, 2009/08/26
    - Re: [PATCH 1/3] Test server provided ioctl-handler, olafBuddenhagen, 2009/08/31
    - [PATCH 2/3] Update to reflect ioctl_handler_t change, Carl Fredrik Hammar, 2009/08/26

Prev by Date: Re: [PATCH 1/2] Add ioctl-handler interface
Next by Date: New IRC meeting schedule
Previous by thread: [PATCH 3/3] Use reverse authenticating ioctl-handler protocal
Next by thread: [PATCH 0/3] Test server provided ioctl-handler
Index(es):
- Date
- Thread