Mike Hearn wrote:
On Fri, 08 Apr 2005 13:29:56 -0500, Robert Shearman wrote:
2. setuid binaries make
sysadmins nervous and would require a security audit by us. Yes, they
don't need to make it setuid, but then the people who do could run their
programs as root anyway.
Presumably only the code up until the point at which we drop privs needs
to be audited though. Suid root binaries that drop privs are pretty common.
You're forgetting the reason why we need the suid root binary - because allowing processes to set their priority as realtime (or otherwise very high) leaves the system open to a trvial DoS attack. Not only do the startup code paths need to be audited, but also the priority setting logic too.
Rob
