[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: drop privileges to nobody is pinging as root

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: Re: drop privileges to nobody is pinging as root
From: Hannah Schroeter <hannah_(_at_)_schlund_(_dot_)_de>
Date: Mon, 6 Mar 2006 23:31:53 +0100
Mail-followup-to: tech_(_at_)_openbsd_(_dot_)_org
Organization: Schlund + Partner AG

Hi!

On Mon, Mar 06, 2006 at 02:59:49PM -0700, Theo de Raadt wrote:
>> The suggested patch did this only if the *real* UID was root.
>> So it doesn't give any user access to user nobody, but only drops
>> from *real* root to nobody. In fact, the patch was after the
>> normal privilege dropping sequence, so even if the condition
>> 	if (getuid() == 0)
>> were omitted, it couldn't change from non-root to nobody.

>I still do not agree at all with doing this.  Sorry.  "nobody" is
>special, and should not be misused like this.

My statement was neutral towards the question whether the original
suggestion should be implemented as is, in a modified way or not
at all. It was just to point out what seemed like a misunderstanding
to me.

IIRC OpenBSD usually uses separate users for each app that drops/separates
privileges. So a consequential implementation would use a user _ping
instead of reusing nobody in a questionable way. But of course the
question is valid whether that's worthwhile compared to the theoretical
risk (low under OpenBSD anyway) that root runs ping and the other host
could exploit it using crafted response packets.

Kind regards,

Hannah.

References:
- Re: drop privileges to nobody is pinging as root
  - From: Hannah Schroeter

Prev by Date: Re: drop privileges to nobody is pinging as root
Next by Date: Re: drop privileges to nobody is pinging as root
Previous by thread: Re: drop privileges to nobody is pinging as root
Next by thread: Re: drop privileges to nobody is pinging as root
Index(es):
- Date
- Thread

Visit your host, monkey.org