I have a security-sensitive customer...
David.Collier-Brown at Sun.COM
Thu May 19 13:39:35 GMT 2005
Andrew Bartlett wrote:
> What changed was where it spends the idle cycles, but it
> is no more/less secure.
> Yes, we are screwed on a buffer overflow either way.
Actually I'd argue that a buffer overflow (or other
oops) induced by the user is way more serious
if it occurs while one is running as root.
This is basically what the customer is stressed
about: privelege escalation attacks.
Now this is no more or less secure than before,
as you noted above, it's just more visible to
the user, which caused him to whack me over
the head with the privilege escalation question (:-))
> For the times when we are actually accessing files, we 'become' the
> connecting user. This causes the kernel to enforce file access control
> on that basis, while still allowing us to switch back to root (and
> subsequently other users) for other operations.
Yes, they understand that, they know it's normal.
>> Have we an answer to their concerns? In particular, are
>> there cases where the way we do it is more secure?
Is there an argument we can legitimately make
that smbd is consciously considered a security-
critical program,and that we **downgrade**
privilege whenever accessing anything which is
under access control?
The latter clause is trivially true, we really
do do that (:-)), and I'd suggest that it is
easier to audit that code than it is to audit
all the intentional escalations in 2.x.
David Collier-Brown, | Always do right. This will gratify
Sun Microsystems, Toronto | some people and astonish the rest
davecb at canada.sun.com | -- Mark Twain
(416) 263-5733 (x65733) |
More information about the samba-technical