[devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Andrey Savchenko]

On Sun, 15 Dec 2019 11:50:13 +0300 Alexey Tourbin wrote:
> On Fri, Dec 13, 2019 at 2:42 PM Alex Gladkov <legion на altlinux.ru> wrote:
> > The hasher-priv is a SUID utility. This is not good. Separation of the
> > server and client parts will allow us to remove SUID flag.
> 
> Removing the SUID flag shouldn't be an end in itself. You're still
> running a process with root privileges which serves user requests.
> It's the same, except that instead of the SUID flag, the process just
> starts as root.  So you are not improving privilege separation or
> something, you are only limiting the ability of the user to tamper
> with the SUID binary. And tampering with the binary should be
> pointless anyway (unless glibc is faulty and permits arbitrary code
> injection, etc.).

The code separation for the privileged and the unprivileged
processes allows to reduce the attack surface when implemented
properly. Furthermore it should be possible to replace the SUID by
the Linux capabilities in future — so the code/process separation
makes even more sense here as it will lead to a smaller number of
capabilities required.

I have not reviewed this code yet, but I like the idea.

Best regards,
Andrew Savchenko
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя     : отсутствует
Тип     : application/pgp-signature
Размер  : 833 байтов
Описание: отсутствует
Url     : <http://lists.altlinux.org/pipermail/devel/attachments/20191216/57602534/attachment.bin>