From: Jamie Lokier <jamie@shareable.org>
To: "Joseph D. Wagner" <theman@josephdwagner.info>
Cc: "'maximilian attems'" <janitor@sternwelten.at>,
linux-fsdevel@vger.kernel.org
Subject: Re: Does sendfile() copy extended attributes?
Date: Sun, 21 Dec 2003 11:50:28 +0000 [thread overview]
Message-ID: <20031221115028.GG3438@mail.shareable.org> (raw)
In-Reply-To: <001001c3c7b1$c5b729c0$0201a8c0@joe>
Joseph D. Wagner wrote:
> >> Because that violates one of the Immutable Laws of Security -- "If
> >> you're running someone else's program, it's not your program anymore."
> Not without ALREADY compromising the root account. Remember, the
> vulnerability I'm addressing is PRIVILEGE ELEVATION. You can't
> elevate privileges any higher than root.
Changing /bin/cp also requires a root compromise.
> > You are imagining a black box function which is specified to copy a
> > file and its attributes. How can you know that function does not work
> > by calling an external program?
>
> I didn't say it doesn't work. I just said that executing an
> external program is too much of a security risk.
I think you read what I wrote the wrong way. Let me rephrase it:
How can you know that function does not call an external program to
perform its action?
There actually are a few functions in the C library which work by
calling external programs - grantpt is one I think - and it's not
mentioned in the manual page (because it's an implementation detail).
Actually I agree with you that calling external programs is a big
risk. It should be done carefully in security conscious code.
However you are deluded to imagine that calling functions in the C
library is automatically safe from the those risks. That must be done
carefully as well.
-- Jamie
next prev parent reply other threads:[~2003-12-21 11:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-14 17:39 Does sendfile() copy extended attributes? Joseph D. Wagner
2003-12-15 5:43 ` Shaya Potter
2003-12-15 5:46 ` Jeff Garzik
2003-12-15 5:49 ` Shaya Potter
2003-12-15 5:55 ` Jeff Garzik
2003-12-15 5:59 ` Shaya Potter
2003-12-15 17:16 ` Bryan Henderson
2003-12-15 20:15 ` Joseph D. Wagner
2003-12-15 21:28 ` Jamie Lokier
2003-12-16 4:28 ` Joseph D. Wagner
2003-12-19 16:37 ` maximilian attems
2003-12-20 12:19 ` Joseph D. Wagner
2003-12-20 20:40 ` Jamie Lokier
2003-12-21 11:01 ` Joseph D. Wagner
2003-12-21 11:50 ` Jamie Lokier [this message]
2003-12-21 19:31 ` Joseph D. Wagner
2003-12-21 19:44 ` Shaya Potter
2003-12-21 19:51 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20031221115028.GG3438@mail.shareable.org \
--to=jamie@shareable.org \
--cc=janitor@sternwelten.at \
--cc=linux-fsdevel@vger.kernel.org \
--cc=theman@josephdwagner.info \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox