CC list reduced considering I'm going to ask about a slightly different topic.
This is fantastic research Sergey, this vuln especially so. On Wed, 3 Nov 2021 at 03:49, Sergey Bugaev <buga...@gmail.com> wrote: > > To get someone privileged to authenticate to me, I went with the same > exec(/bin/su) trick, which makes the root filesystem reauthenticate all of > the > processes file descriptors. If we place our own port among the file > descriptors, > we'll get a io_reauthenticate () call from the root filesystem on it, which > we'll forward to the proc server, pretending to reauthenticate our process. > > I've been meaning to ask: Why does the hurd attempt to re-authenticate open file descriptors during exec? It seems to eliminate a rather convenient method of delegation; a process opening a descriptor, forking and executing a child, and dropping privileges, while retaining access to that one resource. I realise you can still do this by manipulating ports directly (this only applies specifically to the contents of the descriptor table). Is it required for posix compliance somehow, or was there some other interesting use case? -- William ML Leslie
