Hi Mike, On Mon, Mar 14, 2005 at 12:34:58PM -0500, [EMAIL PROTECTED] wrote: > > For instance, I can connect to your service, and fork off > > some setuid root application, with stderr connected to that > > socket. Any error message the application prints will be arrive > > with uid 0. If I manage to make that message appear valid to you, > > your daemon will accept any future input unquestioned. > > > > Interesting attack, although I doubt the setuid program would be attaching > an SCM_CREDENTIALS to it's stderr writes. I'll fix it up to check > credentials on all packets nevertheless.
The application doesn't have to pass them explicitly. They'll be attached automatically by the kernel. > > If you make it less generic, and allow only mount calls, you'll > > be much safer, because in the case of a bug, an attacker will > > be able to send fake MOUNT packets, but nothing else. > > > > Hmm. I like the idea of keeping it generic as it may very well solve > someone else's problem as well. As for locking it down to MOUNT (and > possibly PMAP/RPCB), how about some sort of config file that limits > PROG/VERS tuples? That works as well. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play [EMAIL PROTECTED] | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax _______________________________________________ autofs mailing list [email protected] http://linux.kernel.org/mailman/listinfo/autofs
