[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Partial Solution to SUID Problems

To: Todd Burroughs <todd@hostopia.com>
Subject: Re: [Full-Disclosure] Partial Solution to SUID Problems
From: Markus Friedl <markus@openbsd.org>
Date: Sun, 7 Dec 2003 15:48:03 +0100

> On a server that you have shell access, you probably really need to add
> 'passwd' to the 'suid partitiion'.  You may need some other things,
> on some of our servers, I have 'ping' as well.

it's not really necessary to have passwd setuid.  
you just can write a passwd server process and the passwd(8)
just talks to this server via unix domain sockets.  the server
can use getpeereid(2) or a similar machanism to figure
out the uid of the connecting user (dugsong has implemented
this).

similar things can be done for ping (just used fd passing
to get a raw socket).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Partial Solution to SUID Problems
  - From: Brian Hatch <bri@ifokr.org>
- Re: [Full-Disclosure] Partial Solution to SUID Problems
  - From: Henning Brauer <hb-fulldisclosure@bsws.de>

References:
- Re: [Full-Disclosure] Partial Solution to SUID Problems
  - From: Ciro <domino@asgardnet.org>
- Re: [Full-Disclosure] Partial Solution to SUID Problems
  - From: Todd Burroughs <todd@hostopia.com>
- Re: [Full-Disclosure] Partial Solution to SUID Problems
  - From: Henning Brauer <hb-fulldisclosure@bsws.de>
- Re: [Full-Disclosure] Partial Solution to SUID Problems
  - From: Todd Burroughs <todd@hostopia.com>

Prev by Date: [Full-Disclosure] Internet Explorer JavaScript insecure function
Next by Date: Re: [Full-Disclosure] Partial Solution to SUID Problems
Previous by thread: Re: [Full-Disclosure] Partial Solution to SUID Problems
Next by thread: Re: [Full-Disclosure] Partial Solution to SUID Problems
Index(es):
- Date
- Thread