[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: drop privileges to nobody is pinging as root

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: Re: drop privileges to nobody is pinging as root
From: Hannah Schroeter <hannah_(_at_)_schlund_(_dot_)_de>
Date: Mon, 6 Mar 2006 22:57:37 +0100
Mail-followup-to: tech_(_at_)_openbsd_(_dot_)_org
Organization: Schlund + Partner AG

Hi!

On Mon, Mar 06, 2006 at 02:48:27PM -0700, Theo de Raadt wrote:
>[...]

>> Care to elaborate?

>I have been rather clear.  Please read what I wrote, and then think.

>This happens all the time.  Why do people ask again, instead of thinking?

>WHY should any user be able to run a process as uid nobody?  Do you
>really think that uid nobody has no capabilities that the user
>doesn't have?

The suggested patch did this only if the *real* UID was root.
So it doesn't give any user access to user nobody, but only drops
from *real* root to nobody. In fact, the patch was after the
normal privilege dropping sequence, so even if the condition
	if (getuid() == 0)
were omitted, it couldn't change from non-root to nobody.

Kind regards,

Hannah.

References:
- Re: drop privileges to nobody is pinging as root
  - From: Han Boetes

Prev by Date: Re: reentrant variants of gethostbyname2/gethostbyaddr
Next by Date: Re: drop privileges to nobody is pinging as root
Previous by thread: Re: drop privileges to nobody is pinging as root
Next by thread: Re: drop privileges to nobody is pinging as root
Index(es):
- Date
- Thread

Visit your host, monkey.org