From: "Ted Ts'o" <tytso@mit.edu>
To: Petr Uzel <petr.uzel@suse.cz>
Cc: util-linux@vger.kernel.org
Subject: Re: [PATCH 10/20] uuidd: make drop_privs true by default in main()
Date: Thu, 29 Mar 2012 14:29:11 -0700 [thread overview]
Message-ID: <20120329212911.GB13970@thunk.org> (raw)
In-Reply-To: <1333039528-24784-11-git-send-email-petr.uzel@suse.cz>
On Thu, Mar 29, 2012 at 06:45:18PM +0200, Petr Uzel wrote:
> The drop_privs variable in main() was used to determine whether the
> daemon will attempt to drop privileges (provided it has been installed
> suid). As of now, it makes sense to drop the privileges each time it is
> started. Therefore, this patch inverts the default value of drop_privs
> to true, so that it does not need to be set in the getopt loop at
> multiple places.
>
> Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
This breaks the configuration where libuuid starts uuidd if it's not
available, since there the user process probably doesn't have access
to write to /var/lib/libuuid/clock.txt, and so dropping the setgid
privileges of uuid will cause it not to work.
Also, if you're going to have a -K option to keep the privileges,
there isn't much of a security benefit, since if there's a bug in
uuidd, the attacker can always call uuidd with -K and and then attempt
to exploint any problem that might be there.
So it's not clear adding the ability to drop privileges is really all
that functional; if uuidd is setuid/setgid, it's probably because it
**needs** those privileges.
- Ted
next prev parent reply other threads:[~2012-03-29 21:29 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-29 16:45 [PATCH 00/20] *** uuidd: refactoring & systemd support + build-sys fixes *** Petr Uzel
2012-03-29 16:45 ` [PATCH 01/20] uuidd: use UUIDD_OP_GETPID instead of magic number Petr Uzel
2012-03-29 16:45 ` [PATCH 02/20] uuidd: remove useless initialization of cleanup_socket Petr Uzel
2012-03-29 16:45 ` [PATCH 03/20] uuidd: factor out pidfile creation into separate function Petr Uzel
2012-03-29 16:45 ` [PATCH 04/20] uuidd: implement --no-pid option Petr Uzel
2012-04-03 12:51 ` Karel Zak
2012-04-05 7:36 ` Petr Uzel
2012-03-29 16:45 ` [PATCH 05/20] uuidd: implement --no-fork option Petr Uzel
2012-03-29 16:45 ` [PATCH 06/20] uuidd: factor out socket creation into separate function Petr Uzel
2012-03-29 16:45 ` [PATCH 07/20] uuidd: implement --socket-activation option Petr Uzel
2012-04-03 13:03 ` Karel Zak
2012-04-05 7:46 ` Petr Uzel
2012-03-29 16:45 ` [PATCH 08/20] uuidd: print all debugging information to stderr Petr Uzel
2012-03-29 16:45 ` [PATCH 09/20] uuidd: factor out dropping of privileges into separate function Petr Uzel
2012-03-29 16:45 ` [PATCH 10/20] uuidd: make drop_privs true by default in main() Petr Uzel
2012-03-29 21:29 ` Ted Ts'o [this message]
2012-03-31 16:38 ` Petr Uzel
2012-03-29 16:45 ` [PATCH 11/20] uuidd: introduce --keep-privs option Petr Uzel
2012-04-03 13:32 ` Karel Zak
2012-04-05 7:48 ` Petr Uzel
2012-03-29 16:45 ` [PATCH 12/20] uuidd: --socket-activation implies --keep-privs Petr Uzel
2012-04-03 13:38 ` Karel Zak
2012-04-05 7:49 ` Petr Uzel
2012-03-29 16:45 ` [PATCH 13/20] uuidd: add systemd unit files Petr Uzel
2012-04-03 14:01 ` Karel Zak
2012-04-03 14:47 ` Tom Gundersen
2012-04-05 7:52 ` Petr Uzel
2012-04-05 8:23 ` Karel Zak
2012-03-29 16:45 ` [PATCH 14/20] libuuid: use EXIT_FAILURE Petr Uzel
2012-03-29 16:45 ` [PATCH 15/20] libuuid: implement --disable-libuuid-exec-uuidd configure option Petr Uzel
2012-03-29 16:45 ` [PATCH 16/20] libuuid: fix typo in uuid_compare manpage Petr Uzel
2012-03-29 16:45 ` [PATCH 17/20] build-sys: run distcheck with verbose make rules Petr Uzel
2012-03-29 16:45 ` [PATCH 18/20] build-sys: add ttyutils.h to dist Petr Uzel
2012-03-29 16:45 ` [PATCH 19/20] build-sys: add fsprobe.h " Petr Uzel
2012-03-29 16:45 ` [PATCH 20/20] build-sys: fix installation of uuidd units with make distcheck Petr Uzel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120329212911.GB13970@thunk.org \
--to=tytso@mit.edu \
--cc=petr.uzel@suse.cz \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox