[systemd-devel] euid 0 not honored authenticating control socket?
Simon McVittie
simon.mcvittie at collabora.co.uk
Mon Jan 25 09:19:02 PST 2016
On 21/01/16 18:12, Charles Duffy wrote:
> I have a setuid-root executable
... and now you have two problems? :-)
setuid executables are inherently dangerous: they run with one set of
privileges (their euid), but their environment variables, resource
limits, inherited file descriptors, etc. are controlled by a different,
usually lower set of privileges (their real uid). Every piece of code
run in this rather precarious situation needs to be designed to distrust
things that normal application code can safely trust.
Executables that are not specifically designed to be run under setuid
(including systemctl), and libraries that are not specifically designed
to be setuid-safe, should not be run while setuid.
If you are completely confident that your setuid executable has
sanitized its environment - most importantly, cleaning the environment
via a whitelist, like
<http://cgit.freedesktop.org/polkit/tree/src/programs/pkexec.c> does -
then you can set the real and effective uids to the same value,
effectively taking responsibility for dealing with the security boundary.
--
Simon McVittie
Collabora Ltd. <http://www.collabora.com/>
More information about the systemd-devel
mailing list