-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 22 January 2003 04:35, Garth Meisel wrote:
> Yes, very good answer and thank you for confirming exactly what I thought.
> A small tradeoff for a larger one.
> I think I can just leave it at that. Can you?
just to detail a bit more (because we loooove detail, right? ;), what trevor
was referring to is usually referred to as "dropping priveleges". the program
starts out with more priveleges than it really needs, in this case root. but
it may need those priveleges for only a few crucial steps during
initialization. in the case of gpg it's to lock memory, in the case of apache
it's to secure a priveleged port, etc... a properly written program will
perform all the functions that require those elevated priveleges as quickly
as possible and do as little else before that as possible at which point it
will tell the OS "ok, demote me to a lower priveleged user". once that
demotion (or dropping of privelege) has taken place, the program can not get
back into the elevated privelege state; it's as if the program was started as
that user. this means that the time frame to take advantage of the elevated
priveleges is very small and the code that needs the most scrutiny w/regards
to security is limited in scope.
openssh has taken a slightly different and newer tack with their "privelege
seperation". this accomplishes much the same thing but for apps which can't
drop priveleges entirely because they need special access throughout their
run time. basically they create two processes: one priveleged and one not,
with the priveleged one providing a limited set of services only to the
unpriveleged process. this again limits the code that runs with privelege and
keeps the priveleged process at arms reach from the actual user interaction.
another strategy is change root jails, wherein if a program does become
compromised it doesn't affect the system as it doesn't have access to it. of
course, this isn't really useful for something like gpg =)
- --
Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
"Everything should be made as simple as possible, but not simpler"
- Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+L0qC1rcusafx20MRAtIQAJ95aweIeT1mJOFAXVrtBr4qpdUBlACdG7c+
muKoHj7+M5f0Y9iuSn/mJug=
=U8HP
-----END PGP SIGNATURE-----
