On Wed, 26 Apr 2000, Derek Martin wrote:
> I guess I'll get off my soapbox now... :)
Thanks, I need to borrow it... :)
> I'll offer that an SUID program is NOT inherently dangerous.
Neither is an executable stack. ;-)
I know that SUID-root programs can be written in a robust manner, but I
maintain that if you have a separate facility that avoids the need for running
things as root, you get several benefits:
- Less effort is needed to write the program
- Bugs in the program do not lead to security exploits
- The program does not need to do any security checking, and can leave
that up to the OS (which is, IMO, where it belongs)
- One less SUID-program is one less thing I have to worry about
> A well-designed SUID program is not a danger.
"If architects designed buildings the way programmers write programs, the
first wood pecker to come along would have destroyed civilization."
> If it were, all processes run as root would be inherently dangerous, and
> you could never manage your system.
I believe all processes run as root *are* inherently dangerous. In most
cases, care is taken to reduce the risk to acceptable levels, but the danger
is still there.
> Despite this, and as much as I respect Linus, I think the non-executable
> stack patch should be incorporated into the kernel proper.
I agree, just because anything that makes a cracker's life more difficult is
good news to me, but ...
> His argument is something like "adding it is like inviting people to
> write bad code, and leaving it out encourages better code."
... his argument also includes something to the effect that, in many cases
where a stack smash leads to an exploit, a carefully crafted attack would give
arbitrary access without an executable stack.
The only way to ensure protection against code modifications via unchecked
input would be to make all executable code *read only* to the process. As I
understand it, some OSes do this, but Unix cannot, because too many programs
write to their code segment.
And of course, even if you did institute the above, other holes (e.g.,
tricking a program into running command it should not) are still possible.
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
