[PATCH] Hal privilige seperation
Sjoerd Simons
sjoerd at luon.net
Fri Jan 20 12:21:57 PST 2006
On Fri, Jan 20, 2006 at 12:08:49PM -0800, Artem Kachitchkine wrote:
>
> >Well i don't want hald-runner to be a setuid program on disk somewhere, so
> >no
> >hal can't start it after dropping it's priviliges.
>
> It can temporarily raise privileges, restart hald-runner, and drop them
> again.
>
> I would also like to hear your take on my first question:
>
> >Does hald-runner exist only so that the addons have a privileged ancestor
> >they can inherit privileged uid/gid from?
Basically yes.
> If so, wouldn't it be much
> >easier if hald regained its privileges temporarily before exec'ing an
> >addon and dropping them immediately after?
>
> Is there a specific reason for separating helper launcher into a
> separate process? I buy John's SELinux argument, but doubt that SELinux
> was your primary design motivation.
I must admit that there wasn't a big motivation for this. I'm not very familiar
with how temporarily raising works and what the security implications of that
are (and if it's portable to other systems). Couldn't some injected code then
also temporarily raise priveleges for example?
Otoh i think really seperating it makes it easier to review, as it's really
only a part of the code that runs as root.
Sjoerd
--
You can't cheat the phone company.
More information about the hal
mailing list