From: Jamie Lokier <jamie@shareable.org>
To: "Joseph D. Wagner" <theman@josephdwagner.info>
Cc: "'maximilian attems'" <janitor@sternwelten.at>,
linux-fsdevel@vger.kernel.org
Subject: Re: Does sendfile() copy extended attributes?
Date: Sun, 21 Dec 2003 11:50:28 +0000 [thread overview]
Message-ID: <20031221115028.GG3438@mail.shareable.org> (raw)
In-Reply-To: <001001c3c7b1$c5b729c0$0201a8c0@joe>
Joseph D. Wagner wrote:
> >> Because that violates one of the Immutable Laws of Security -- "If
> >> you're running someone else's program, it's not your program anymore."
> Not without ALREADY compromising the root account. Remember, the
> vulnerability I'm addressing is PRIVILEGE ELEVATION. You can't
> elevate privileges any higher than root.
Changing /bin/cp also requires a root compromise.
> > You are imagining a black box function which is specified to copy a
> > file and its attributes. How can you know that function does not work
> > by calling an external program?
>
> I didn't say it doesn't work. I just said that executing an
> external program is too much of a security risk.
I think you read what I wrote the wrong way. Let me rephrase it:
How can you know that function does not call an external program to
perform its action?
There actually are a few functions in the C library which work by
calling external programs - grantpt is one I think - and it's not
mentioned in the manual page (because it's an implementation detail).
Actually I agree with you that calling external programs is a big
risk. It should be done carefully in security conscious code.
However you are deluded to imagine that calling functions in the C
library is automatically safe from the those risks. That must be done
carefully as well.
-- Jamie
next prev parent reply other threads:[~2003-12-21 11:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-14 17:39 Does sendfile() copy extended attributes? Joseph D. Wagner
2003-12-15 5:43 ` Shaya Potter
2003-12-15 5:46 ` Jeff Garzik
2003-12-15 5:49 ` Shaya Potter
2003-12-15 5:55 ` Jeff Garzik
2003-12-15 5:59 ` Shaya Potter
2003-12-15 17:16 ` Bryan Henderson
2003-12-15 20:15 ` Joseph D. Wagner
2003-12-15 21:28 ` Jamie Lokier
2003-12-16 4:28 ` Joseph D. Wagner
2003-12-19 16:37 ` maximilian attems
2003-12-20 12:19 ` Joseph D. Wagner
2003-12-20 20:40 ` Jamie Lokier
2003-12-21 11:01 ` Joseph D. Wagner
2003-12-21 11:50 ` Jamie Lokier [this message]
2003-12-21 19:31 ` Joseph D. Wagner
2003-12-21 19:44 ` Shaya Potter
2003-12-21 19:51 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20031221115028.GG3438@mail.shareable.org \
--to=jamie@shareable.org \
--cc=janitor@sternwelten.at \
--cc=linux-fsdevel@vger.kernel.org \
--cc=theman@josephdwagner.info \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.