From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.1 Date: Mon, 16 Dec 2019 02:33:35 +0300 From: Andrey Savchenko To: ALT Linux Team development discussions Message-Id: <20191216023335.8c33e26a07c28a975d13119e@altlinux.org> In-Reply-To: References: X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Mon__16_Dec_2019_02_33_36_+0300_xFUaeuU_uwrhfIxt" Subject: Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux Team development discussions List-Id: ALT Linux Team development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Dec 2019 23:33:50 -0000 Archived-At: List-Archive: List-Post: --Signature=_Mon__16_Dec_2019_02_33_36_+0300_xFUaeuU_uwrhfIxt Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 15 Dec 2019 11:50:13 +0300 Alexey Tourbin wrote: > On Fri, Dec 13, 2019 at 2:42 PM Alex Gladkov wrote: > > The hasher-priv is a SUID utility. This is not good. Separation of the > > server and client parts will allow us to remove SUID flag. >=20 > Removing the SUID flag shouldn't be an end in itself. You're still > running a process with root privileges which serves user requests. > It's the same, except that instead of the SUID flag, the process just > starts as root. So you are not improving privilege separation or > something, you are only limiting the ability of the user to tamper > with the SUID binary. And tampering with the binary should be > pointless anyway (unless glibc is faulty and permits arbitrary code > injection, etc.). The code separation for the privileged and the unprivileged processes allows to reduce the attack surface when implemented properly. Furthermore it should be possible to replace the SUID by the Linux capabilities in future =E2=80=94 so the code/process separation makes even more sense here as it will lead to a smaller number of capabilities required. I have not reviewed this code yet, but I like the idea. Best regards, Andrew Savchenko --Signature=_Mon__16_Dec_2019_02_33_36_+0300_xFUaeuU_uwrhfIxt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE63ZIHsdeM+1XgNer9lNaM7oe5I0FAl32wtAACgkQ9lNaM7oe 5I0UhxAAnSadpkKdtgrKObuOYOrf5QBnaAvHCBhqxLE4EQ7DPmP9QzGpRh+r3edV +pXydUZgROkpXAuILp+n0UxxlWi3W7No2wsS7rS2TF7FmVpMt3hR/asI1OKVCypy 7ylmv4y7b1sCSsWeZcPa5MDdjiU59+M9uxZZ3i4n++fZI5L8aeoer++2ZkAzAuCK G1OZ7/xViqFwwnHLMFrnf482vXATpUxjujgYEnZsiVZpwFS14wOgJgyWafgbe4LC 3uOv64QV9aoZCv9DUPLrtdJf5YZT9sx2o7NLB5Bbvpl3c5ur/FZc5owqjb7ih3vU vIwW3QRPPN1EEYjxDDylNK0VtrmDALoUWjSt9gVlAQESGMNIRB6W3JyDhu2lh1Dm o0GYhvpkA4V0PclECSzTDjmZHNwFKP6/rgkru9i4j7jw+B61kwOedWaW0jRX10na ngBhfjLJkXAlxGlQXFOXLX+Rs27UCaNqiMvDV6HowokMubuEu+BDePvMdBcdGD5u e8L5JL6CigHFUyPtjCNDPRLHG+QQ2P4mmbfzwWGEFb39WVLCTLg1OXkU/CyRP5JK VsEukeadb/WRRlkgQPhZAptum9vctaU2dmxpX3eIb72nC7LvhFVaxfN+xIRjflrZ MpJvK4Ky1qjw40iaOXcgjGH+e6340yiu9JVmIkEERE0eyJKPe2E= =JGgR -----END PGP SIGNATURE----- --Signature=_Mon__16_Dec_2019_02_33_36_+0300_xFUaeuU_uwrhfIxt--