| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type:content-transfer-encoding; | |
| q=dns; s=default; b=NuajJKzvmKA2F31ruQSL8c9G5Kwz3dKhZ6DRxSmhkqG | |
| AgWtdLMuF+TOt88XRfc3z3qAWwDdS6KKmiCMLZLugdrRjzH8gM/0w6zRpcn2yi2i | |
| UZsSiUEMbD51cJVDcxS7QUtayM/CkstGqiHgODb9hynpl9hmvbwXke8969wKCJnU | |
| = | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type:content-transfer-encoding; | |
| s=default; bh=6zzrEZb6uh6IpYzTR9RlGSzpII8=; b=wr5/E2RYlZCiBNM7R | |
| 9j/lUeaRkkfWIHusWGf5hj877IzooF7t+GkuYqrnWshTE0GNePjfmSoUOosxRxhn | |
| Ip1E2fueWYmkE236MdihvizuTs5zp56mrhhCoNOnAqptYKD/6vJXzczsffLsIDRk | |
| J+5z5jOEoN8tAbPZXQ/8nLjXnM= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=0.0 required=5.0 tests=AWL,BAYES_50,RP_MATCHES_RCVD autolearn=ham version=3.3.2 |
| X-HELO: | Ishtar.hs.tlinx.org |
| Message-ID: | <53D30D67.2070209@tlinx.org> |
| Date: | Fri, 25 Jul 2014 19:07:35 -0700 |
| From: | Linda Walsh <cygwin AT tlinx DOT org> |
| User-Agent: | Thunderbird |
| MIME-Version: | 1.0 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: The deprecated uid issue: use caps |
| References: | <53CF6CEC DOT 6D68E485 AT boland DOT nl> <53CF7012 DOT 2070608 AT tlinx DOT org> <53CF749A DOT 1315B799 AT boland DOT nl> |
| In-Reply-To: | <53CF749A.1315B799@boland.nl> |
| X-IsSubscribed: | yes |
D. Boland wrote: > Linda Walsh wrote: >> D. Boland wrote: >>> But I had to compromise in some critical areas. One of them is the uid issue. >>> >>> * sendmail, procmail, mail.local assume that the id of the privileged user is '0'. >>> >>> Isn't it about time to make this our First Directive also? >>> >>> >> I thought sendmail used capabilities? >> >> Isn't it about time none of them used a fixed 'uid', but used capabilities? >> >> I thought hard coding a Uid was going out with the dodo bird? > > You didn't get the point. We create a kernel on which Linux software runs. We don't > dictate how software should be written. You are missing the point. MS privilege model is the MS version of the linux capability model. MS didn't get it wrong, linux has been slow to adopt, but MS had linux capabilities 10 years before linux did. Several other people have tried to explain that the way to go is to use the "minimum priviledge model". For example, almost ALL user have the "unreadable directory traversal" priv/capability. To enforce it cost alot in execution time on Windows (as it would under cygwin). Another priviledge is to "impersonate" another user; sendmail would likely need such a privilege. Another is to ignore file-permissions. It would be questionable whether or not sendmail needed that. Sendmail was using capabilities back in 2000 when I brought a basic "non-reciprocal action" bug in the capability code to the attention of Ted Tso, he told me and others that I didn't know what I was talking about and they were following POSIX and my "find" was irrelevant under POSIX. About 10 days later there was a day-zero exploit involving the bug in the defective code using sendmail's capability usage as the vector. The result was kernel caps being disabled for the next few years until the cap-code could be reviewed by more eyes and knew what to look for. So I'm pretty sure sendmail has had code to extensively run solely off of capabilities and has had it for some time. I'd be surprised if it was removed. Linux software that uses the capability model is likely to not have these problems. But saying that any random linux software with security bugs from the past should work on cygwin, seems like a ridiculous stance to take. You can set capabilities on files processes and network sockets. Linux file systems with "extended attributes" or "alternate data forks" (2 names for the same thing), can and do support "SETCAP" on linux files that works just like SETUID, but for capabilities. MS only supports the capability model and uses it to implement their Admin or privileged user model. They don't support the less secure setuid model that linux is moving away from. Does this help clarify the issue ? -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |