On Sun, 2004-10-03 at 10:37 -0700, Steve G wrote:
OK, this sounds like just changing where a daemon writes the pid file
instead of
re-writing the code so fchown isn't called. Good.
Right.
>> There are only 3 daemons that I can think of that need to be
root:
>>sshd, xinetd, crond.
>
>It can be a very significant amount of work to change a daemon to run as
>non-root, like dhcpcd.
Right. However, I think in the long term, you want to get as many converted as
possible. That adds 1 more layer of protection just in case someone figures out a
hole in se linux.
True. But you have to weigh the effort involved in that versus other
security threats, and I don't think in a lot of these cases it's worth
it.
>There's still the general problem with discretionary access
control here
>too - A simple misconfiguration in for one of the daemons before it
>drops root privileges could cause it to overwrite the pid file for
>another daemon, violating the system security policy.
I haven't seen this, you'd have to code an exploit just for it.
I'm not talking about an exploit; a system administrator could
accidentally overwrite e.g. the <pidfile> section
of /etc/dbus/system.conf when pasting in configuration from elsewhere.
SELinux will prevent the configuration error from damaging the rest of
the system.
I'm not against the proposal. I think it helps. I just want to
try to air some of
the details so more people understand what's be proposed.
Makes sense.