From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/5218 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: musl 1.0.x branch Date: Tue, 10 Jun 2014 13:37:39 -0400 Message-ID: <20140610173739.GM179@brightrain.aerifal.cx> References: <20140606175617.GA3914@brightrain.aerifal.cx> <20140609112352.1e7ad51e@ncopa-desktop.alpinelinux.org> <20140609200830.GK179@brightrain.aerifal.cx> <20140610094351.GE20596@example.net> <20140610160356.GL179@brightrain.aerifal.cx> <5397376B.3000300@skarnet.org> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Trace: ger.gmane.org 1402421882 9827 80.91.229.3 (10 Jun 2014 17:38:02 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 10 Jun 2014 17:38:02 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-5223-gllmg-musl=m.gmane.org@lists.openwall.com Tue Jun 10 19:37:55 2014 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1WuPzd-0005SV-19 for gllmg-musl@plane.gmane.org; Tue, 10 Jun 2014 19:37:53 +0200 Original-Received: (qmail 3648 invoked by uid 550); 10 Jun 2014 17:37:51 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 3640 invoked from network); 10 Jun 2014 17:37:51 -0000 Content-Disposition: inline In-Reply-To: <5397376B.3000300@skarnet.org> User-Agent: Mutt/1.5.21 (2010-09-15) Original-Sender: Rich Felker Xref: news.gmane.org gmane.linux.lib.musl.general:5218 Archived-At: On Tue, Jun 10, 2014 at 05:50:51PM +0100, Laurent Bercot wrote: > On 10/06/2014 17:03, Rich Felker wrote: > > >FYI you can emulate the usefulness of suid, without the danger, by > >having a daemon on a unix socket that you connect to which provides > >the functionality. This is a vastly superior design because there is > >exactly one input channel to the code running with elevated privileges > >(the socket) as opposed to unboundedly many (environment, open fds, > >resource limits, working directory, priority, signal mask and > >dispositions, cpu affinity, ... and whatever else the kernel folks add > >in the future). > > And now there are even programs designed to help you do exactly that: > http://skarnet.org/software/s6-networking/s6-sudo.html > (Shameless plug of the day: achieved) > > However, despite being a good solution for noninteractive programs, the > unix socket mechanism isn't perfect. There are a lot of things it cannot > transmit without significant trouble - in particular terminals and > everything job-control-related, and signals, etc. I've done quite a bit > of thinking while writing s6-sudo, and my conclusion was that it's a > daunting task to get everything working properly with programs that > need a terminal; it would require ugly wrappers à la ptyget, and more. > I'm not convinced it's even worth trying, as opposed to tackling the > existing terminal-using privilege-granting programs and kicking the > suid out of them. Sending the terminal fd over a socket with SCM_RIGHTS isn't sufficient? If the privileged process has root, it should be able to add itself to the process group of the client so that job control, terminal signals, etc. work right. Of course from a security standpoint it's better to put the UI that uses the terminal in the client-side anyway, and limit the amount of logic in the privileged server-side, but this is a good deal of extra refactoring/redesign work if you have legacy applications. Rich