From owner-freebsd-security@FreeBSD.ORG Sun Oct 7 20:49:13 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 00D7116A417 for ; Sun, 7 Oct 2007 20:49:13 +0000 (UTC) (envelope-from SRS0=zt7abC=PB=vvelox.net=v.velox@yourhostingaccount.com) Received: from mailout11.yourhostingaccount.com (mailout11.yourhostingaccount.com [65.254.253.88]) by mx1.freebsd.org (Postfix) with ESMTP id AE23013C45D for ; Sun, 7 Oct 2007 20:49:12 +0000 (UTC) (envelope-from SRS0=zt7abC=PB=vvelox.net=v.velox@yourhostingaccount.com) Received: from mailscan15.yourhostingaccount.com ([10.1.15.15] helo=mailscan15.yourhostingaccount.com) by mailout11.yourhostingaccount.com with esmtp (Exim) id 1Ied3n-0001FA-QT for freebsd-security@freebsd.org; Sun, 07 Oct 2007 16:49:11 -0400 Received: from impout03.yourhostingaccount.com ([10.1.55.3] helo=impout03.yourhostingaccount.com) by mailscan15.yourhostingaccount.com with esmtp (Exim) id 1Ied3n-0006MW-Lr; Sun, 07 Oct 2007 16:49:11 -0400 Received: from authsmtp09.yourhostingaccount.com ([10.1.18.9]) by impout03.yourhostingaccount.com with NO UCE id xYpA1X00M0BkWne0000000; Sun, 07 Oct 2007 16:49:10 -0400 X-EN-OrigOutIP: 10.1.18.9 X-EN-IMPSID: xYpA1X00M0BkWne0000000 Received: from c-98-206-161-17.hsd1.il.comcast.net ([98.206.161.17] helo=vixen42) by authsmtp09.yourhostingaccount.com with esmtpa (Exim) id 1Ied3n-0000FE-9v; Sun, 07 Oct 2007 16:49:11 -0400 Date: Sun, 7 Oct 2007 15:49:16 -0500 From: "Zane C.B." To: Kostik Belousov Message-ID: <20071007154916.6c645982@vixen42> In-Reply-To: <20071007185314.GJ2180@deviant.kiev.zoral.com.ua> References: <20071007105258.2d4c2e37@vixen42> <47090895.9050202@nruns.com> <20071007122805.3853bffe@vixen42> <20071007180402.GI2180@deviant.kiev.zoral.com.ua> <20071007133917.73b5f665@vixen42> <20071007185314.GJ2180@deviant.kiev.zoral.com.ua> X-Mailer: Claws Mail 3.0.1 (GTK+ 2.10.14; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-EN-UserInfo: 0d1ca1697cdb7a831d4877828571b7ab:1570f0de6936c69fef9e164fffc541bc X-EN-AuthUser: vvelox2 Sender: "Zane C.B." X-EN-OrigIP: 98.206.161.17 X-EN-OrigHost: c-98-206-161-17.hsd1.il.comcast.net Cc: freebsd-security@freebsd.org, Jan M?nther Subject: Re: issetugid() for other procs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Oct 2007 20:49:13 -0000 On Sun, 7 Oct 2007 21:53:14 +0300 Kostik Belousov wrote: > On Sun, Oct 07, 2007 at 01:39:17PM -0500, Zane C.B. wrote: > > On Sun, 7 Oct 2007 21:04:02 +0300 > > Kostik Belousov wrote: > > > > > On Sun, Oct 07, 2007 at 12:28:05PM -0500, Zane C.B. wrote: > > > > On Sun, 07 Oct 2007 18:25:57 +0200 > > > > Jan M?nther wrote: > > > > > > > > > man getuid, man geteuid. > > > > > > > > This does work for other procs, only the one that is calling > > > > it. > > > > > > > > Like I said initially I am looking to check if another proc > > > > has run setuid, seteuid, or been executed or forked by one > > > > that has. > > > > > > Note that what you trying to do is racy by definition. > > > > Why is that? It seems like something that be useful instead of > > something taboo. My interest in it is I am writing a database > > connector interested in making it paranoid as possible. > > Because you do not control the execution of the other process. As > consequence, value you get is outdated even before you start using > it. Yeah, this is another thing I need to look into. I need to look into how to go about figuring out if a program can be trusted or not. Just got thinking that any thing that has been run will have been run by something that ran it setuid. The project I am looking into is creating a database connector daemon and related pam module. When a user logs in their password they used is shoved into the PAM module and then a application can be used for accessing the database. Any thoughts in that area? My large interest in this is in regards to LDAP.