On Sun, Dec 15, 2019 at 11:50:13AM +0300, Alexey Tourbin wrote: > On Fri, Dec 13, 2019 at 2:42 PM Alex Gladkov wrote: > > The hasher-priv is a SUID utility. This is not good. Separation of the > > server and client parts will allow us to remove SUID flag. > > Removing the SUID flag shouldn't be an end in itself. You're still > running a process with root privileges which serves user requests. > It's the same, except that instead of the SUID flag, the process just > starts as root. So you are not improving privilege separation or > something, you are only limiting the ability of the user to tamper > with the SUID binary. And tampering with the binary should be > pointless anyway (unless glibc is faulty and permits arbitrary code > injection, etc.). While turning a suid root executable into a daemon doesn't automagically make everything more secure, it's an important move in the right direction. Firstly, the attack surface of a suid root executable is larger than of the equivalent root daemon on the other side of a unix domain socket, so this change narrows the attack surface. Secondly, this change opens the way for more elaborate privilege separation. Thirdly, it makes hasher available for PR_SET_NO_NEW_PRIVS'ed processes (e.g. self-seccomp'ed) that cannot make use of suid executables. -- ldv