[future patch] dropping user privileges on demand
Peter Wemm
peter at wemm.org
Wed Aug 20 22:44:03 PDT 2003
ari wrote:
> Currently, root is the only user that can actually drop significant
> privileges, as root is the only user that has access to such functions.
> This is flawed --- any user should be able to relinquish his privileges,
> and i've begun a patch to put this into effect.
>
> However, the fact that this is a security-related kernel feature
> modification warrants peer-review, in both design and implementation.
> It would be unwise of me to create the patch without consulting such.
>
> The web page that discusses the patch may be found at:
>
> http://www.episec.com/people/edelkind/patches/kernel/flowpriv/
>
> I welcome any discussion and criticism.
The biggest risk is that you may have aquired something priviliged in your
process memory space or file descriptor table. If you are then fully
unpriviliged, then things like ptrace(), core dumps etc, become a minefield.
For example, if a process did a getpwnam() before dropping privs, then
it may have a cached copy of the secret master.passwd data in memory.
Anyway, thats something to keep in mind.
Cheers,
-Peter
--
Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com
"All of this is for nothing if we don't go to the stars" - JMS/B5
More information about the freebsd-hackers
mailing list