[devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

Alexey Tourbin alexey.tourbin на gmail.com
Вс Дек 15 11:50:13 MSK 2019


On Fri, Dec 13, 2019 at 2:42 PM Alex Gladkov <legion на altlinux.ru> wrote:
> The hasher-priv is a SUID utility. This is not good. Separation of the
> server and client parts will allow us to remove SUID flag.

Removing the SUID flag shouldn't be an end in itself. You're still
running a process with root privileges which serves user requests.
It's the same, except that instead of the SUID flag, the process just
starts as root.  So you are not improving privilege separation or
something, you are only limiting the ability of the user to tamper
with the SUID binary. And tampering with the binary should be
pointless anyway (unless glibc is faulty and permits arbitrary code
injection, etc.).


Подробная информация о списке рассылки Devel