On Thu, 15 Feb 2007 14:00:04 +0000 martin f krafft <[EMAIL PROTECTED]> wrote:
> also sprach Curt Manucredo <[EMAIL PROTECTED]> [2007.02.15.1328 +0000]: > > request client. since urequestd does not execute any process > > unless it comes from an urequest-client, all verifications are > > done in the urequest client program. this includes user and group > > verification as well as checking if the request even exists. > > This sounds like a bad idea. All I have to do is imposter as > urequest-client and I can execute anything. yes this is correct, but it won't be able to call any command as far as i can see! but since i have discovered that it is not save to check the gid and uid in the client, i have moved all the testings out of the client into the daemon. so now i check the uid and gids in the /proc file system as i already do with the cmdline-file in /proc to authenticate the request. i moved it into client thinking that it is save, it is of course not. but why do you say you can execute anything? the daemon checks the /proc/pid_of_urequest/cmdline and compares it with the request sent through the fifo-file. it now checks the uid and gids and in case everything is fine, it executes the rule as long it exists and the user is allowed to do so. so. are you still sure you can imposter as the client with this restrictions? if so, i will have to let it die! ;-( but well, i have a little problem! why are there in the /proc/pid_of_urequest/status, in line Uid: and Gid:, four times the Uid and Gid? why is it so? can you please explain me why. however. i have reinvented the wheel in a complicated way, but i learn though much about the system i run. > > What's the added benefit over, say, sudo? > i am not quiet sure about sudo, since it asks from time to time a password. i use urequestd for example for the battery check daemon so it does not need to run as root. it does everything as a normal system user and in case the battery runs low it executes the hibernate command through a rule with urequestd. this was the very first task of urequestd. then i use it for wvdial and ifupdown. and only those rules exist. it will not call anything outside of /etc/urequestd/rules/. thank you for the reply regards curt -- make sure that anywhere in your mail the string 'debian' appears. otherwise your message will not end up in my mailbox! Curt Manucredo curtm2 at yahoo dot de .''`. : :' : `. `'` `- proud debian-user http://www.debian.org http://blueblended.wordpress.com http://www.keinverlag.at/autoren.php?autor=2311 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
