From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mr POSIX Date: Tue, 25 Aug 2009 19:28:38 +0000 Subject: Re: [security] Race condition in udev Message-Id: <1251228518.4175.147.camel@quest> List-Id: References: <20090821102407.GA29609@florz.florz.dyndns.org> In-Reply-To: <20090821102407.GA29609@florz.florz.dyndns.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: linux-hotplug@vger.kernel.org On Tue, 2009-08-25 at 20:38 +0200, Florian Zumbiehl wrote: > Or in more general terms: Well, yeah, there probably are many userspace > configurations where such permissions would not be a wise thing to use. > But still, there probably are just as many cases that are perfectly > safe > No, there really isn't. Let's go back to basics of the UNIX security. model, and most importantly, how this is *interpreted* by applications. The model is one of "grant". That is to say, that to be able to perform any privileged action, you must be granted that privilege. Even your uid is a "grant" of privilege, it enables you to communicate and change other processes running under that same uid. Likewise a gid is a "grant" of privilege. Therefore there is an assumption that a newly created user, with a unique uid and gid not used anywhere, has effectively no privilege. This assumption is used in many places, but most notably when daemons and services run as a user of their own - or even the "nobody" user. Your example breaks this assertion. By giving a user or group *less* privilege than other users, you have effectively granted a privilege to "nobody" and secure users that genuine users *do not have*. Put simply, a mask should decrease in value when read from left to right - 755 is valid, 577 isn't. Giving a user or group less privilege than "anybody else" is easy to circumvent, because the basic assumption is that by changing user or adding a group you are *gaining* privilege. not dropping it - and thus by switching to a "nobody" user you are *dropping* privilege not gaining it. Scott -- Scott James Remnant scott@canonical.com