Commit 1cff8e2b authored by Niels Möller's avatar Niels Möller

Added comments on how to fix use of setuid.

Rev: src/unix_user.c:1.43
parent b63de24d
......@@ -660,7 +660,8 @@ do_read_file(struct lsh_user *u,
{
int fd;
close(out[0]);
/* FIXME: Use seteuid instead? */
if ( (me != user->super.uid) && (setuid(user->super.uid) < 0) )
{
werror("unix_user.c: do_read_file: setuid failed (errno = %i): %z\n",
......@@ -755,6 +756,16 @@ change_uid(struct unix_user *user)
return 1;
}
/* FIXME: In child processes, between do_fork_process and do_exec_shell,
* we're running with the user's uid, which seems dangerous.
* It seems better to move uid handling to exec-time, and perhaps
* to a separate program.
*
* The potential problem is that a user can read the process memory
* before exec, and learn the host key or other secrets. The safest
* way seems to be to be to exec a separate program, which changes
* persona and then exec's the real login shell. */
static int
do_fork_process(struct lsh_user *u,
struct lsh_process **process,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment