This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Allowing users to change execvpâs shell?


On Sun, Dec 16, 2012 at 11:14:47PM +0100, Ludovic CourtÃs wrote:
> >> Thereâs the issue of setuid-root binaries.  Then again, I wonder if
> >> these should be using execvp at all in the first place.
> >
> > They can use it securely as long as they set $PATH first.
> 
> Yeah.
> 
> To me it sounds like: $GLIBC_SHELL would be a new loophole in addition
> to $PATH, but $PATH is a familiar one and people are used to fiddling
> with it.

Not only new but nonstandard. That's the problem. Do you expect every
program to be aware of the nonstandard security-compromising behavior
of every single system out there? That's why it's not acceptable to
add such security-compromising behavior.

> In general, authenticating programs based on their *name* seems highly
> suspicious to me.  Thatâs certainly one of the reasons for depriving
> unprivileged users from the right to chroot(2) or mount(2).

Yes, the whole design of setuid binaries is fundamentally a mistake;
they should be replaced with non-suid binaries which operate by
communicating with a daemon that already has the appropriate
privileges. But now we're talking about an imposing policy to change
the (bad) status quo, and nobody has the authority to do that. Maybe
20 years from now when people have abandoned such stupid designs as
suid binaries it would be no problem to add such a feature, but glibc
has no business imposing such a change since the status quo, as
ill-designed as it is, does permit one to build secure systems as long
as the rules are followed.

Rich


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]