X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=NuajJKzvmKA2F31ruQSL8c9G5Kwz3dKhZ6DRxSmhkqG
	AgWtdLMuF+TOt88XRfc3z3qAWwDdS6KKmiCMLZLugdrRjzH8gM/0w6zRpcn2yi2i
	UZsSiUEMbD51cJVDcxS7QUtayM/CkstGqiHgODb9hynpl9hmvbwXke8969wKCJnU
	=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 s=default; bh=6zzrEZb6uh6IpYzTR9RlGSzpII8=; b=wr5/E2RYlZCiBNM7R
	9j/lUeaRkkfWIHusWGf5hj877IzooF7t+GkuYqrnWshTE0GNePjfmSoUOosxRxhn
	Ip1E2fueWYmkE236MdihvizuTs5zp56mrhhCoNOnAqptYKD/6vJXzczsffLsIDRk
	J+5z5jOEoN8tAbPZXQ/8nLjXnM=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.0 required=5.0 tests=AWL,BAYES_50,RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: Ishtar.hs.tlinx.org
Message-ID: <53D30D67.2070209@tlinx.org>
Date: Fri, 25 Jul 2014 19:07:35 -0700
From: Linda Walsh <cygwin AT tlinx DOT org>
User-Agent: Thunderbird
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: The deprecated uid issue: use caps
References: <53CF6CEC DOT 6D68E485 AT boland DOT nl> <53CF7012 DOT 2070608 AT tlinx DOT org> <53CF749A DOT 1315B799 AT boland DOT nl>
In-Reply-To: <53CF749A.1315B799@boland.nl>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

D. Boland wrote:
> Linda Walsh wrote:
>> D. Boland wrote:
>>> But I had to compromise in some critical areas. One of them is the uid issue.
>>>
>>> * sendmail, procmail, mail.local assume that the id of the privileged user is '0'.
>>>
>>> Isn't it about time to make this our First Directive also?
>>>
>>>
>> I thought sendmail used capabilities?
>>
>> Isn't it about time none of them used a fixed 'uid', but used capabilities?
>>
>> I thought hard coding a Uid was going out with the dodo bird?
>
> You didn't get the point. We create a kernel on which Linux software runs. We don't
> dictate how software should be written.
You are missing the point.

MS privilege model is the MS version of the linux capability model. 

MS didn't get it wrong, linux has been slow to adopt, but MS had linux
capabilities 10 years before linux did.

Several other people have tried to explain that the way to go is to use
the "minimum priviledge model". 

For example, almost ALL user have the "unreadable directory traversal" 
priv/capability.

To enforce it cost alot in execution time on Windows (as it would under 
cygwin).

Another priviledge is to "impersonate" another user; sendmail would
likely need such a privilege.  Another is to ignore file-permissions. 
It would be questionable whether or not sendmail needed that.

Sendmail was using capabilities back in 2000 when I brought a basic
"non-reciprocal action"  bug in the capability code to the attention
of Ted Tso, he told me and others that I didn't know what I was talking
about and they were following POSIX and my "find" was irrelevant under 
POSIX.
About 10 days later there was a day-zero exploit involving the bug
in the defective code using sendmail's capability usage as the vector.
The result was kernel caps being disabled for the next few years until
the cap-code could be reviewed by more eyes and knew what to look for.

So I'm pretty sure sendmail has had code to extensively run solely off
of capabilities and has had it for some time.  I'd be surprised if it
was removed. 

Linux software that uses the capability model is likely to not have
these problems.  But saying that any random linux software with security 
bugs
from the past should work on cygwin, seems like a ridiculous stance to
take.

You can set capabilities on files processes and network sockets. Linux file
systems with "extended attributes" or "alternate data forks" (2 names 
for the
same thing), can and do support "SETCAP" on linux files that works just
like SETUID, but for capabilities.

MS only supports the capability model and uses it to implement their
Admin or privileged user model.  They don't support the less secure setuid
model that linux is moving away from.

Does this help clarify the issue ?






--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple