Date: Sun, 8 Jul 2001 16:10:09 -0700 (PDT) From: Brad Huntting <huntting@glarp.com> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/28333: rtprio/idprio setuid problems Message-ID: <200107082310.f68NA9W13190@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/28333; it has been noted by GNATS.
From: Brad Huntting <huntting@glarp.com>
To: Kris Kennaway <kris@obsecurity.org>
Cc: Brad Huntting <huntting@glarp.com>,
FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/28333: rtprio/idprio setuid problems
Date: Sun, 08 Jul 2001 17:06:29 -0600
>> On some (but by no means all) systems it is desireable to
>> allow non-root users the ability to start realtime processes.
> The same can be same about almost any program which requires superuser
> privileges, not just rtprio/idprio.
>> The obvious way to allow this is to "chmod u+s /usr/sbin/rtprio".
>> Unfortunatly, this causes all programs started with rtprio
>> (and idprio) to run as root. The included patch adds a
>> line to reset the euid before exec()ing the program.
>>=20
>> Note: I am NOT advocating that rtprio should be installed
>> setuid-root by default! However, if the sysadmin wants to
>> allow non-root users this privledge, then making a setuid-root
>> program (perhaps executable by only one group) is the "unix
>> way".
> No, the UNIX way is to use something a tool like sudo (in the ports
> collection) which lets the admin manage which users get to execute
> which commands with privilege. Adding uid-management code to all
> sorts of non-privileged binaries just in case someone misguidedly
> makes it setuid is the wrong solution.
Granted, for programs like renice, chown, etc, sudo is ideal. But
chroot, {id,rt}prio, and nice are different because, not only do
they perform a prevledged operation, they exec() a new program
afterward.
A sudo like wrapper for these would need to grok the command line
semantics of each utilities to be a viable alternative. Even then,
it would be a security risk, unless it provided some mechanism to
insure that the command line semantics of nice (et al) stay in sync
with this sudo-like program. And once you've gone to all that
trouble you might has well just make a special setuid version of
nice (et al) that does uid management and is runable by ordinary
users. Once you've done that, you might as well call it "nice"
(etc), because everyone already understands how "nice" works.
Or did you have some other idea for a sudo like tool.
thanx,
brad
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107082310.f68NA9W13190>