[scponly] scponlyc - why not give up root priveleges completly?
Dominik Schwald
d.schwald at nextbyte.de
Thu Jul 1 13:23:18 EDT 2004
Hi,
i'm quite new to scponly and have a security related question concerning
the root priveleges of scponlyc .I use scponly on a linux box (just in
case this matters)
Am i right that the _only_ reason for beeing setuid is the chroot()
command. I read the following in the file INSTALL:
"... There is a seteuid that ensures that the execution of any commands
is never done with an effective uid of 0..."
So here is my question: Why does scponlyc not drop all root rights
immediately after invoking the chroot-jail, instead of only ensuring
that after the invokation of the chroot-jail the root privileges aren't
used any more.
so the code would be something like:
chdir("/foo/bar");
chroot("/foo/bar");
setuid(non_zero_UID);
If i am right with the thought that root privileges are only necessary
for the chroot call, i think this would be a nicer solution, since (at
least for linux) setuid(uid) is doing the following:
"...If the user is root or the program is setuid root, special care
must be taken. The setuid function checks the effective uid of the
caller and if it is the superuser, all process related user ID's are set
to uid. After this has occurred, it is impossible for the program to
regain root privileges..."
Thanks in advance for your comments.
Regards, dominik
BTW: I am not an advanced C programmer, and am also very new to chroot()
things and scpolny. So please don't kill me if i got something completly
wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20040701/0d2a3a34/signature.bin
More information about the scponly
mailing list