This is the mail archive of the libc-hacker@sourceware.cygnus.com mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

Re: dumb question

To: Zack Weinberg <zack@rabi.phys.columbia.edu>
Subject: Re: dumb question
From: Andi Kleen <ak@muc.de>
Date: 30 Jun 1998 21:19:45 +0200
Cc: "A.N.Kuznetsov" <kuznet@ms2.inr.ac.ru>, drepper@cygnus.com, libc-hacker@cygnus.com, linux-kernel@vger.rutgers.edu
References: <199806301855.OAA07383@rabi.phys.columbia.edu>

Zack Weinberg <zack@rabi.phys.columbia.edu> writes:
> 
> The only part of the existing implementation that I am really opposed
> to is the part where the superuser can lie about his identity.  That
> makes the entire arrangement untrustworthy.  A subverted set-id
> program can impersonate any user.  (I am thinking particularly of a
> mail daemon that uses SCM_CREDS to put an unforgeable sender label on
> outgoing mail.)  On the flip side, the possible utility in being able
> to forge SCM_CREDS is minimal to nonexistent.

This would give a false feeling of security. The superuser just can switch
uids (remember, he can do everything login does!) and then send the message. 

It would make sense if we had LIDs (unique IDs assigned per login that
cannot be changed) to pass them always, but even then the superuser
could write into /dev/kmem and change it.

-Andi

References:
- Re: dumb question
  - From: Zack Weinberg <zack@rabi.phys.columbia.edu>

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]