> On Apr 3, 2024, at 2:04 PM, Toon Moene <t...@moene.org> wrote:
>
> On 4/1/24 17:06, Mark Wielaard wrote:
>
>> A big thanks to everybody working this long Easter weekend who helped
>> analyze the xz-backdoor and making sure the impact on Sourceware and
>> the hosted projects was minimal.
>
> Thanks for those efforts !
>
> Now, I have seen two more days of thinking about this vulnerability ... but
> no one seem to address the following issues:
>
> A hack was made in liblzma, which, when the code was executed by a daemon
> that by virtue of its function, *has* to be run as root, was effective.
>
> Two questions arise (as far as I am concerned):
>
> 1. Do daemons like sshd *have* to be linked with shared libraries ?
> Or could it be left to the security minded of the downstream
> (binary) distributions to link it statically with known & proven
> correct libraries ?
I would add: should IFUNC be deleted? Or alternatively, should it be strictly
limited only to non-security-sensitive applications when not running as root?
> 2. Is it a limitation of the Unix / Linux daemon concept that, once
> such a process needs root access, it has to have root access
> *always* - even when performing trivial tasks like compressing
> data ?
Clearly not, given the existence of the "seteuid" syscall.
> I recall quite well (vis-a-vis question 2) that the VMS equivalent would drop
> all privileges at the start of the code, and request only those relevant when
> actually needed (e.g., to open a file for reading that was owned by [the
> equivalent on VMS] of root - or perform other functions that only root could
> do), and then drop them immediately afterwards again.
Yes, and with additional effort all "root" type applications could be written
that way.
paul
