From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7302 Path: news.gmane.org!not-for-mail From: u-wsnj@aetey.se Newsgroups: gmane.linux.lib.musl.general Subject: Re: Re: Busybox on musl is affected by CVE-2015-1817 Date: Wed, 1 Apr 2015 10:49:40 +0200 Message-ID: <20150401084940.GO23636@example.net> References: <20150330053150.GA484@brightrain.aerifal.cx> <20150331234810.GN6817@brightrain.aerifal.cx> <20150401074116.GN23636@example.net> <551BA847.3040609@gmx.de> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1427878228 30467 80.91.229.3 (1 Apr 2015 08:50:28 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 1 Apr 2015 08:50:28 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-7315-gllmg-musl=m.gmane.org@lists.openwall.com Wed Apr 01 10:50:27 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1YdELy-0001EA-38 for gllmg-musl@m.gmane.org; Wed, 01 Apr 2015 10:50:26 +0200 Original-Received: (qmail 3590 invoked by uid 550); 1 Apr 2015 08:50:24 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 3569 invoked from network); 1 Apr 2015 08:50:23 -0000 X-T2-Spam-Status: No, hits=0.8 required=5.0 tests=BAYES_50 Received-SPF: none receiver=mailfe09.swip.net; client-ip=5.196.105.229; envelope-from=u-wsnj@aetey.se Content-Disposition: inline In-Reply-To: <551BA847.3040609@gmx.de> Xref: news.gmane.org gmane.linux.lib.musl.general:7302 Archived-At: Hi Harald, On Wed, Apr 01, 2015 at 10:11:51AM +0200, Harald Becker wrote: > There is a big difference if you talk about suid > *root* programs or other suid usage. > > The former is definitely very dangerous and should be used with extreme care > (I think this is the case we are talking about), the later use may even be > used to drop privileges (not to raise), or to temporarily hop to the You are right about a remarkable difference between suid root and suid somethingelse, just because root has the very special role in Unix. Besides root vs non-root I doubt there is any clear line between "raising" and "dropping" privileges, you replace one set of allowed operations by a different one, that's it. Note that root does not need suid to drop its privileges. > privileges of a different user (may be allowing access to some files only by > using specific commands). As soon as a program is setuid it has to be written for the purpose of very reliably checking and limiting what it does on behalf of who, independently of how it can potentially be invoked "out of context". This is known to be hard, I believe it is harder to do reliably than e.g. issue a request to a daemon - talking about the complexity level. Thus the setuid program is to be designed to be as small as possible, presumably leaving all non-checking functions to (a) different executable(s). Then the result becomes about as intricate as talking to a daemon, which can be run without any setuid. > When used with care and as intended, suid and sgid is a nice feature, but Unfortunately I can not really appreciate its beauty which appears to hide the complexity and/or move it to other parties (like the dynamic linker or the software maintenance infrastructure). Yes it "looks simple and efficient" but is it, really? > nowadays there are too many Unix novices, who misunderstand or misuse this, > punching big holes in every security concern. Unfortunately even seasoned gurus easily create / fail to notice holes! :( Rune