Bill Jonas on Wed, 19 Jun 2002 11:02:48 +0200 |
On Tue, Jun 18, 2002 at 11:40:54AM -0400, gabriel rosenkoetter wrote: > Having the suid bit sit is DRASTICALLY different than being "always > run by root". The whole point of the suid bit is that little pieces > of what a given program does need to be done as root but that the > vast majority of it need not be and, thus, isn't. Yes, but the program still effectively (no pun intended) runs as root, and it has to explicitly drop privileges once it accomplishes what it needed root privileges to accomplish. > (The point of the suid bit is NOT to give root privilege selectively > to users, though it's often used that way by bonehead admins.) Yes, but consider this: probably a year or so ago I was looking around for an identd to run on my (then) OpenBSD firewall that had functionality like midentd (a masquerading identd), which only runs on Linux, to my knowledge. So I decided to write my own. The problem was that I didn't want my own code running as root, even though (or especially?) I was going to be writing it in (a "safe" language like) Perl. I also didn't feel like attempting to parse the appropriate memory structures, especially since there was a command (forget which one, but it was definitely part of ipf suite, if not an ipf command-line option) that would show established, NAT'd connections. My idea was to use a small C wrapper to exec the command, owned by root and some group and mode 1750 or 1710, to execute the command, use my Perl program running as that same group to execute the wrapper and parse the results, then connect back to the (internal) machine which had established the connection and query it for the ident information, then pass that back to the (external) machine which was querying me. Well, perhaps I'm agreeing with you, after all. ;) (Side note: I wound up not doing this and just used nullidentd instead.) -- Bill Jonas * bill@billjonas.com * http://www.billjonas.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin Attachment:
pgpWL1avxoNNK.pgp
|
|