From: Petr Uzel <petr.uzel@suse.cz>
To: "Ted Ts'o" <tytso@mit.edu>
Cc: util-linux@vger.kernel.org
Subject: Re: [PATCH 10/20] uuidd: make drop_privs true by default in main()
Date: Sat, 31 Mar 2012 18:38:44 +0200 [thread overview]
Message-ID: <20120331163844.GA29416@skipper.site> (raw)
In-Reply-To: <20120329212911.GB13970@thunk.org>
[-- Attachment #1: Type: text/plain, Size: 2215 bytes --]
On Thu, Mar 29, 2012 at 02:29:11PM -0700, Ted Ts'o wrote:
> On Thu, Mar 29, 2012 at 06:45:18PM +0200, Petr Uzel wrote:
> > The drop_privs variable in main() was used to determine whether the
> > daemon will attempt to drop privileges (provided it has been installed
> > suid). As of now, it makes sense to drop the privileges each time it is
> > started. Therefore, this patch inverts the default value of drop_privs
> > to true, so that it does not need to be set in the getopt loop at
> > multiple places.
> >
> > Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
>
> This breaks the configuration where libuuid starts uuidd if it's not
> available, since there the user process probably doesn't have access
> to write to /var/lib/libuuid/clock.txt, and so dropping the setgid
> privileges of uuid will cause it not to work.
I don't think the commit you are referring to changes uuidd behavior
in any way and if it does, then I overlooked something and it is a
bug. The change is meant to be a cleanup - instead of initializing the
drop_privs to 0 and changing it to 1 in the getopt loop, it is initialized
to 1. IOW, I don't see a use case where it should be left 0, except
with later introduced --keep-privs (but see below). Or do I miss
something?
> Also, if you're going to have a -K option to keep the privileges,
> there isn't much of a security benefit, since if there's a bug in
> uuidd, the attacker can always call uuidd with -K and and then attempt
> to exploint any problem that might be there.
>
> So it's not clear adding the ability to drop privileges is really all
> that functional; if uuidd is setuid/setgid, it's probably because it
> **needs** those privileges.
If I get it right, the setuid/setgid bit for uuidd is "only" useful
for the case when uuidd is spawned from the libuuid library running
with normal user privileges, right? Since this is useless with the
socket activated uuidd, the solution might be to conditionally drop
the code for dropping privileges if uuidd is configured
--with-uuidd-socket-activation. Also the --keep-privs would
go away. Does that sound good?
Thanks,
Petr
--
Petr Uzel
IRC: ptr_uzl @ freenode
[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2012-03-31 16:38 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-29 16:45 [PATCH 00/20] *** uuidd: refactoring & systemd support + build-sys fixes *** Petr Uzel
2012-03-29 16:45 ` [PATCH 01/20] uuidd: use UUIDD_OP_GETPID instead of magic number Petr Uzel
2012-03-29 16:45 ` [PATCH 02/20] uuidd: remove useless initialization of cleanup_socket Petr Uzel
2012-03-29 16:45 ` [PATCH 03/20] uuidd: factor out pidfile creation into separate function Petr Uzel
2012-03-29 16:45 ` [PATCH 04/20] uuidd: implement --no-pid option Petr Uzel
2012-04-03 12:51 ` Karel Zak
2012-04-05 7:36 ` Petr Uzel
2012-03-29 16:45 ` [PATCH 05/20] uuidd: implement --no-fork option Petr Uzel
2012-03-29 16:45 ` [PATCH 06/20] uuidd: factor out socket creation into separate function Petr Uzel
2012-03-29 16:45 ` [PATCH 07/20] uuidd: implement --socket-activation option Petr Uzel
2012-04-03 13:03 ` Karel Zak
2012-04-05 7:46 ` Petr Uzel
2012-03-29 16:45 ` [PATCH 08/20] uuidd: print all debugging information to stderr Petr Uzel
2012-03-29 16:45 ` [PATCH 09/20] uuidd: factor out dropping of privileges into separate function Petr Uzel
2012-03-29 16:45 ` [PATCH 10/20] uuidd: make drop_privs true by default in main() Petr Uzel
2012-03-29 21:29 ` Ted Ts'o
2012-03-31 16:38 ` Petr Uzel [this message]
2012-03-29 16:45 ` [PATCH 11/20] uuidd: introduce --keep-privs option Petr Uzel
2012-04-03 13:32 ` Karel Zak
2012-04-05 7:48 ` Petr Uzel
2012-03-29 16:45 ` [PATCH 12/20] uuidd: --socket-activation implies --keep-privs Petr Uzel
2012-04-03 13:38 ` Karel Zak
2012-04-05 7:49 ` Petr Uzel
2012-03-29 16:45 ` [PATCH 13/20] uuidd: add systemd unit files Petr Uzel
2012-04-03 14:01 ` Karel Zak
2012-04-03 14:47 ` Tom Gundersen
2012-04-05 7:52 ` Petr Uzel
2012-04-05 8:23 ` Karel Zak
2012-03-29 16:45 ` [PATCH 14/20] libuuid: use EXIT_FAILURE Petr Uzel
2012-03-29 16:45 ` [PATCH 15/20] libuuid: implement --disable-libuuid-exec-uuidd configure option Petr Uzel
2012-03-29 16:45 ` [PATCH 16/20] libuuid: fix typo in uuid_compare manpage Petr Uzel
2012-03-29 16:45 ` [PATCH 17/20] build-sys: run distcheck with verbose make rules Petr Uzel
2012-03-29 16:45 ` [PATCH 18/20] build-sys: add ttyutils.h to dist Petr Uzel
2012-03-29 16:45 ` [PATCH 19/20] build-sys: add fsprobe.h " Petr Uzel
2012-03-29 16:45 ` [PATCH 20/20] build-sys: fix installation of uuidd units with make distcheck Petr Uzel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120331163844.GA29416@skipper.site \
--to=petr.uzel@suse.cz \
--cc=tytso@mit.edu \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox