[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: drop privileges to nobody is pinging as root
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: Re: drop privileges to nobody is pinging as root
- From: Hannah Schroeter <hannah_(_at_)_schlund_(_dot_)_de>
- Date: Mon, 6 Mar 2006 22:57:37 +0100
- Mail-followup-to: tech_(_at_)_openbsd_(_dot_)_org
- Organization: Schlund + Partner AG
On Mon, Mar 06, 2006 at 02:48:27PM -0700, Theo de Raadt wrote:
>> Care to elaborate?
>I have been rather clear. Please read what I wrote, and then think.
>This happens all the time. Why do people ask again, instead of thinking?
>WHY should any user be able to run a process as uid nobody? Do you
>really think that uid nobody has no capabilities that the user
The suggested patch did this only if the *real* UID was root.
So it doesn't give any user access to user nobody, but only drops
from *real* root to nobody. In fact, the patch was after the
normal privilege dropping sequence, so even if the condition
if (getuid() == 0)
were omitted, it couldn't change from non-root to nobody.