From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jamie Lokier Subject: Re: Does sendfile() copy extended attributes? Date: Sun, 21 Dec 2003 11:50:28 +0000 Sender: linux-fsdevel-owner@vger.kernel.org Message-ID: <20031221115028.GG3438@mail.shareable.org> References: <20031220204040.GA28180@mail.shareable.org> <001001c3c7b1$c5b729c0$0201a8c0@joe> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "'maximilian attems'" , linux-fsdevel@vger.kernel.org Return-path: Received: from mail.shareable.org ([81.29.64.88]:42631 "EHLO mail.shareable.org") by vger.kernel.org with ESMTP id S262760AbTLULud (ORCPT ); Sun, 21 Dec 2003 06:50:33 -0500 To: "Joseph D. Wagner" Content-Disposition: inline In-Reply-To: <001001c3c7b1$c5b729c0$0201a8c0@joe> List-Id: linux-fsdevel.vger.kernel.org Joseph D. Wagner wrote: > >> Because that violates one of the Immutable Laws of Security -- "If > >> you're running someone else's program, it's not your program anymore." > Not without ALREADY compromising the root account. Remember, the > vulnerability I'm addressing is PRIVILEGE ELEVATION. You can't > elevate privileges any higher than root. Changing /bin/cp also requires a root compromise. > > You are imagining a black box function which is specified to copy a > > file and its attributes. How can you know that function does not work > > by calling an external program? > > I didn't say it doesn't work. I just said that executing an > external program is too much of a security risk. I think you read what I wrote the wrong way. Let me rephrase it: How can you know that function does not call an external program to perform its action? There actually are a few functions in the C library which work by calling external programs - grantpt is one I think - and it's not mentioned in the manual page (because it's an implementation detail). Actually I agree with you that calling external programs is a big risk. It should be done carefully in security conscious code. However you are deluded to imagine that calling functions in the C library is automatically safe from the those risks. That must be done carefully as well. -- Jamie