Authentication

[Ben Laurie <be...@gonzo.ben.algroup.co.uk>]

I've been giving some thought to the authentication question (wrt setuid
scripts) and it seems to me that it is not possible for the server to prove to
the setuid program that it is legit by any kind of shared secret, encrypted
message or anything else of that nature. Why? Because the Bad Guy can examine
the code to determine the method, and a core dump (or similar) to determine
any parameters that are needed. He can then write an httpd which runs the
setuid program using the same method and parameters.

So, are we sunk? Well, not quite. Assuming that the Bad Guy does _not_ have
root access (coz after all, if he does, we're sunk anyway) we can check that
the httpd that ran us was run by an httpd which has a userid of root. I think
this prevents any direct running of the setuid program and therefore, combined
with other safeguards already discussed, is as secure as its going to get (and
is also secure enough).

Comments?

Cheers,

Ben.

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.