[bind10-dev] Possible suid root on b10-sockcreator

[Jelte Jansen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/19/2011 09:32 AM, Michal 'vorner' Vaner wrote:
> Hello
> 
> On Fri, Dec 16, 2011 at 03:06:52PM -0600, Jeremy C. Reed wrote:
>> We need to consider different users/groups for different run-time 
>> components. A good example is stats-httpd (running on same system) 
>> should not have privileges to modify zone data stores or configuration 
>> JSON file.
> 
> I wasn't aware of such requirement. But as such, it sounds sane, so we probably
> shouldn't make it impossible to do so. Maybe we should add a configuration
> option to the components.
> 
> But if we support this, we should still support at last one of the ways to
> support „everything as a user except for the creator who is root“.
> 

Note that this would only be on the operating-system level (i.e.
creating, deleting, modifying files, etc.). With the current
architecture, as long as anything can connect to the messaging system,
it'll be able to do everything modules support through that. I tend to
think access controls on that level would be more important than
compartimented processes. But it would indeed add a layer of protection
if there are code-execution exploits.

>> As an idea bind10 starts as root, and its configurations knows the 
>> user:group to run each component as. But if bind10 drops its own 
>> privileges then it can't restart them as desired.
> 
> I believe the boss would need to run as root all the time then.
> 

Yup... so adding such a protection would mean opening up another one,
smaller in terms of places where it happens, but bigger in potential
damage. So the question is, which is more important?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7vCIAACgkQ4nZCKsdOncXbVACfYKQTR+sufzQBQN6Lyh5+a9OV
0MsAnjH4UqiSsg7FWbGiMFAeDa3G6HmF
=SN14
-----END PGP SIGNATURE-----