On Sat, May 11, 2002 at 06:02:18PM -0700, Thomas Bushnell, BSG wrote: > Marcus Brinkmann <[EMAIL PROTECTED]> writes: > > > I think it is absolutely mandatory that we establish the PID in a > > trustworthy way rather than let the user provide some unique ID on its own. > > I think there is already a place in the Hurd where we should do that but > > don't (wasn't that term's term_open_ctty?), and there are all sort of simple > > attacks possible if we can't trust the PID (eg a monitor server might check > > for stale advisory locks and kill processes that don't release them timely. > > In the untrusted model, a user could make this monitor process kill > > arbitrary processes on the system). > > Nope; a malicious filesystem could just return bogus PID values too.
Mmh, we could restrict the monitor to trusted filesystems (eg /). > I don't think this is a serious security issue, actually. Such a > monitor depends on an awful lot--it's not a strict Posix program > already. I am not really particularly attached to my example, it was just one of the first that came to my mind. Are you suggesting with "I don't think that this is a serious security issue" that relying on a PID provided by the user is good enough in the general case? Or were you only relating this to my example? Thanks, Marcus -- `Rhubarb is no Egyptian god.' Debian http://www.debian.org [EMAIL PROTECTED] Marcus Brinkmann GNU http://www.gnu.org [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.marcus-brinkmann.de _______________________________________________ Bug-hurd mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/bug-hurd
