Roland McGrath <[EMAIL PROTECTED]> writes: > > More exactly, you mean before calling proc_setowner. > > Yes. > > > We should be more careful here. > > How?
As I described below. :) > > For all we know, we have big giant hairy port leaks in the startup code > > for the Hurd, and every process in the system is running as root. > > Not if there are EXEC_NEWTASK execs involved. Ok, that's true, EXEC_NEWTASK is good enough for the general case. > Like I said, there might be leaks in login I haven't though of. Using > EXEC_NEWTASK is the way to be sure none survive, but there will be a window > between proc_setowner and the exec completing where the target owner can > hijack the login process and exploit any leaks. We can avoid that by using > EXEC_SECURE instead, and just not calling proc_setowner at all. Then exec > will use proc_setowner on the fresh task's proc port after proc_reassign. Ah, good idea. I think EXEC_SECURE is perhaps the best solution here. > That is nuts. You don't know what you are talking about proc and > startup programs for. There is no problem with them. We are > talking about login here. Given the normal use of EXEC_NEWTASK, you are right. Thomas _______________________________________________ Bug-hurd mailing list [EMAIL PROTECTED] http://lists.gnu.org/mailman/listinfo/bug-hurd
