Re: Authentication

[Randy Terbush <ra...@zyzzyva.com>]

> I've been giving some thought to the authentication question (wrt setuid
> scripts) and it seems to me that it is not possible for the server to prove to
> the setuid program that it is legit by any kind of shared secret, encrypted
> message or anything else of that nature. Why? Because the Bad Guy can examine
> the code to determine the method, and a core dump (or similar) to determine
> any parameters that are needed. He can then write an httpd which runs the
> setuid program using the same method and parameters.
> 
> So, are we sunk? Well, not quite. Assuming that the Bad Guy does _not_ have
> root access (coz after all, if he does, we're sunk anyway) we can check that
> the httpd that ran us was run by an httpd which has a userid of root. I think
> this prevents any direct running of the setuid program and therefore, combined
> with other safeguards already discussed, is as secure as its going to get (and
> is also secure enough).
> 
> Comments?

Of course. :-)

First, how do you trace the linage of the process? getppid() gets a
void argument on Solaris and FreeBSD. The only other way I can get
to this info is via kvm stuff which I don't think is going to be very
portable. Also, since the server does a setuid(safeuser), do we still
have information available that shows it was started as root? I haven't
looked.

I have added the following snippet that should provide a bit more
restrictive area that the hacker can access.


#define DOC_ROOT "/www/docroot"

cwd = getcwd (buf, MAXPATHLEN);

doclen = strlen (DOC_ROOT);
if (strncmp (cwd, DOC_ROOT, doclen))
{
    log_err ("invalid command (%s)\n", cmd);
    exit(105);
}