Re: root privileges through non-root process?

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 01/10/03


From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Fri, 10 Jan 2003 08:01:58 +0100

Walt Harris wrote:
>
> Some programs are set SUID (basically launch as root and drop privileges
> after some time) and these can do what he's talking about. Apache should
> be run as 'nobody' or another username to avoid this problem, however when
> launched from inetd.conf or rc.local, Apache has to be run as 'root' in
> order to use port 80.

Isn't that wrong? First of all suid executables and daemons are two
completely different problems to consider. Daemons are hardly ever
suid executables. And who are actually using inetd rather than xinetd?
I don't know about inetd, but xinetd for sure does not have the problem
you describe. And finally who start apache from rc.local? I believe
most distributions come with a SysVinit script for starting apache.

> After a certain stage in launching, it drops 'root'
> privileges. During this window, it is very possible to achieve 'root'
> access.

How? It is not a SUID executable that anybody can execute as root. And
when started in the ordinary way it doesn't do any network communication
over the net before it has droped priveleges.

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:aaarep@daimi.au.dk
for(_=52;_;(_%5)||(_/=5),(_%5)&&(_-=2))putchar(_);


Relevant Pages