Darren Moffat wrote: > >> IMO door servers need to be as robust as possible - particularly if > >> they are running with any privilege but even if they are running as a > >> "normal" user. Not only should they check who the peer caller is but > >> they also need to be very very careful about how they parse the input > >> coming over the door. See the (unfortunately closed) source for kcfd > >> as an example.
There's not much in the way of parsing. The door server accepts just one fixed-size structure containing stuff like the server IP address, user name, NTLM hash, some flags, etc. > In this case given the daemon is running as a normal user (but I assume > it originally started with privilege so has SNOCD set right?) the door It's started by via fork/exec from a program also running as a normal user, so it should not have any extra privileges. > server should check that its euid matches that of the caller, or the > caller's euid == 0 and has all privs (or the kernel will use a cred_t > with euid == the user's). Additional protection that we are really > being called by who we expect it to be called by - which BTW isn't > actually clear from the case materials. In the case materials, I described the door permissions and ownership. While I still think that should be entirely sufficient, I don't mind adding another check if someone will point me to an example of what the check should look like. Thanks, Gordon
