From: "Valdis Klētnieks" <valdis.kletnieks@vt.edu>
To: jim.cromie@gmail.com
Cc: kernelnewbies <kernelnewbies@kernelnewbies.org>
Subject: Re: sticky bits in /proc etc
Date: Wed, 10 Jun 2020 23:37:32 -0400 [thread overview]
Message-ID: <25192.1591846652@turing-police> (raw)
In-Reply-To: <CAJfuBxyU1N=r_jj6dWB3QERUMi9Y36BP+O4-LC95dbsU477bww@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 1006 bytes --]
On Wed, 10 Jun 2020 08:24:17 -0600, jim.cromie@gmail.com said:
> Id like to ask about a possible new use for file and directory sticky bits,
> or setuid bits, to address the root-only use of /proc (etc) files
The sticky bit and setuid/gid bits already have meanings for directories,
and changing the semantics will break existing code.
> this needs root
>
> echo module kvm +p > /proc/dynamic_debug/control
>
> how about this ?
>
> cat root-owned-readonly-file > /proc/dynamic_debug/control
Nope, doesn't work that way, because the file in /proc has no way to tell that
it's cat doing it from a root-owned file, versus cat doing it from a
hacker-owned file. As far as the /proc file is concerned, the "echo" and "cat"
commands are identical.
If you have an actual need for non-root users to do this, there's always the
fact that 'sudo' can be restricted to specific commands for the user, and/or
the use of set-UID helper programs that validate the request and then issue it
on the user's behalf.
[-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --]
[-- Attachment #2: Type: text/plain, Size: 170 bytes --]
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
next prev parent reply other threads:[~2020-06-11 3:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-10 14:24 sticky bits in /proc etc jim.cromie
2020-06-11 3:37 ` Valdis Klētnieks [this message]
2020-06-11 15:07 ` jim.cromie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=25192.1591846652@turing-police \
--to=valdis.kletnieks@vt.edu \
--cc=jim.cromie@gmail.com \
--cc=kernelnewbies@kernelnewbies.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.