Effective, Real and Group id switching for daemons

From: John Hanna (jhanna@cproject.com)
Date: 01/24/03

  • Next message: Valdis.Kletnieks@vt.edu: "Re: Standards for developing secure software" 
    From: "John Hanna" <jhanna@cproject.com>
To: <secprog@securityfocus.com>
Date: Fri, 24 Jan 2003 15:19:22 -0700

    I'm working to improve ASSP's support for *nix environments. (ASSP,
    http://assp.sourceforge.net, is an anti-spam smtp proxy written in Perl.)
    One of the important features is to be able to run as non-root after we
    start listening on port 25. I had a couple of questions for those wiser than
    I.
    First is it important to switch the real uid as well? It might be nice to
    preserve the real uid so I can switch back to root if they kill -HUP and I
    need to switch ports. But in the event of a perl-based vulnerability and I
    changed the effective-uid but not real-uid I suppose the clever hacker would
    switch the effective-uid back if possible. So I probably need to do that,
    right?

    Secondly do I need to give the option to switch effective and real group id
    as well? I suppose root group might be able to do something a hacker
    shouldn't, even after they've lost root euid, right?

    Finally, this code has to have been written 1000 times, but I couldn't find
    it anywhere. Can someone point me to an opensource perl server daemon that I
    can swipe code from? Or perhaps email me their prized nuget from their own
    project with permission to recycle?

    Thanks tons,
    John

    Relevant Pages

    • FAQ 7.22 How do I create a switch or case statement?
      ... If one wants to use pure Perl and to be compatible with Perl versions ... Here's a simple example of a switch based on pattern matching, ... The perlfaq-workers, a group of volunteers, maintain the perlfaq. ... operating system or platform, so please include relevant details for ...
      (comp.lang.perl.misc)
    • Re: switching bsdlabels label
      ... reason someone labelled root as 'd' and home as 'a'. ... bsdlabel -n da0s1> savedabel.txt ... partitions or if it is just that the partitions are mounted backwards ... You could switch it around using bsdlabel, but I don't think the risk would be worth the negligible gain. ...
      (freebsd-questions)
    • Re: switching bsdlabels label
      ... reason someone labelled root as 'd' and home as 'a'. ... bsdlabel -n da0s1> savedabel.txt ... partitions or if it is just that the partitions are mounted backwards ... You could switch it around using bsdlabel, but I don't think the risk would be worth the negligible gain. ...
      (freebsd-stable)
    • FAQ 7.23 How do I create a switch or case statement?
      ... If one wants to use pure Perl and to be compatible with Perl versions ... Here's a simple example of a switch based on pattern matching, ... The perlfaq-workers, a group of volunteers, maintain the perlfaq. ... operating system or platform, so please include relevant details for ...
      (comp.lang.perl.misc)
    • FAQ 7.23 How do I create a switch or case statement?
      ... If one wants to use pure Perl and to be compatible with Perl versions ... Here's a simple example of a switch based on pattern matching, ... The perlfaq-workers, a group of volunteers, maintain the perlfaq. ... operating system or platform, so please include relevant details for ...
      (comp.lang.perl.misc)