[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nosuid in fstab



I personally prefer either dropboxes, serviced by privileged cronjobs,
or named pipes/sockets.

In both cases data is supplied to a privileged process through a
interface that can be thoroughly input validated, and actioned.

It's means the client-side can be really dumb, and even if it
gets breached the worst that can be done is to dump cruft into the
input of the privileged process, which it chomps through and ignores.

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom_(_at_)_devitto_(_dot_)_com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Where do you want to go today?  Same as every day.... Windows Update.

-----Original Message-----
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org] On Behalf Of
Jeff Wilson
Sent: Wednesday, May 26, 2004 8:07 PM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: nosuid in fstab

On Wed, 26 May 2004, Anthony Roberts wrote:

> Rethink the problem until you figure out a way that doesn't need root.
> 
> It's almost always possible.

I want to do something much like authpf, but with Apache/OpenSSL/Perl
instead of an ssh client.  I am migrating from this setup
(http://www3.baylor.edu/~Jeff_Wilson/GiveAway/wfg.html) based on OpenBSD
2.9 and ipfilter, to OpenBSD 3.5 and pf.

So would you do that with setuid, or an entry for pfctl in sudoers(5), or
something completely different?