Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5397B09D.5020807@skarnet.org>
Date: Wed, 11 Jun 2014 02:27:57 +0100
From: Laurent Bercot <ska-dietlibc@...rnet.org>
To: musl@...ts.openwall.com
Subject: Re: musl 1.0.x branch

On 10/06/2014 22:01, Rich Felker wrote:
> It's really odd that they include that text only in the RATIONALE,
> which is non-normative. Perhaps it's duplicated somewhere else? Note
> that the part of the quote you cropped was (at the beginning) "To
> provide tighter security," which suggests there's no reason this
> condition would need to be applied to root, but maybe it is anyway.

  Well, in the normative sections, there's this:

    ERRORS

    The setpgid() function shall fail if:

    (...)
    [EPERM]
    The value of the pgid argument is valid but does not match the
     process ID of the process indicated by the pid argument and there
     is no process with a process group ID that matches the value of
     the pgid argument in the same session as the calling process.

  which translates pretty clearly to "Thou shalt not join the process
group of another process lest it is of thy bloodline". No mention of
privileged processes here.

  And even if root could do that, it would basically force the daemon
to be started as root, and run some code run as root (if only to read
the pgid from the client), which would be ugly since not every suid
program is suid root.

-- 
  Laurent

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.