This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On Mon 24 Mar 2014 12:26:32 Rich Felker wrote: > On Mon, Mar 24, 2014 at 04:57:23PM +0100, Florian Weimer wrote: > > >I was asking whether there might be a way to setup the > > >conditions prior to making the setuid syscalls such that if the first > > >one succeeds, the subsequent ones cannot fail. > > > > Not in general, no, because the kernel implementation calls into the > > Linux Security Module framework, whose modules typically implement > > additional preconditions we cannot check in glibc due to > > insufficient information. > > Yes, I'm well aware of the Linux Insecurity Modules framework. Any > framework that can make standard functions with documented interface > contracts violate their own interface contracts subtracts from the > security of a system rather than adding to it, and I really have no > problem with telling users this if they're running broken Insecurity > Modules. > > But back to the topic, I was assuming correct behavior from the > kernel. If the kernel misbehaves, aborting is a perfectly reasonable > response (but if LSM's make the kernel lie, can you even tell if it > misbehaved?). trying to stack the deck against failure is a good idea, but that is orthogonal to checking the return value. there's no good reason at all to not check & abort when the call fails. -mike
Attachment:
signature.asc
Description: This is a digitally signed message part.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |