OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Here's another glibc env. var.
From: Len Budney (lbudney-lists-auditnb.net)
Date: Thu May 25 2000 - 10:01:13 CDT


haradaobunsha.co.jp wrote:
> Pavel Kankovsky wrote:
> >No. I suggest to reduce functionality to discourage bad design. Complex
> >security-hazard-prone code, including (but not limited to) user
> >interface stuff, should be separated from code running with elevated
> >privileges that should be really small, simple, and paranoid.
>
> I can agree with that. But in this case, you're talking about
> non-intuitively removing the ability to handle locales properly for
> any suid/suig code.

Not necessarily. In fact, I don't remember that anybody's proposal so
far has been _specific_ enough to confirm or deny what you say here.

Here is a semi-specific suggestion. When a privileged and a
non-privileged program cooperate to get the job done, they interact
through a protocol--and the protocol need not be locale specific.

Therefore, why not isolate the part requiring privilege into a tiny
program which does the following: 1) perform the requested service;
2) return a one-byte status code--for example, 'K' for success, 'D'
for permanent failure, and 'Z' for temporary failure; 3) return raw
data, encoding integers in ascii, as a netstring.

If finer-grained error reporting is required, then use the raw-data
part of a 'D' or 'Z' to specify the error as an integer code, similar
to errno, whose interpretation is known to clients, plus a ``default
message'' for stupid clients to use. Smart clients can then use the
integer code to generate locale-specific user feedback.

(Even finer grained error-reporting should generally not be necessary.
If you want the setuid server to report names, dates and places, then
you've probably dumped much too much responsibility into the setuid
module, which should be tiny and specific.)

Len.

PS A reference on netstrings: <http://cr.yp.to/proto/netstrings.txt>.

--
It does pay to have the right role models/heroes. It takes you through
a lot. Mine haven't let me down.
					-- Warren Buffett, 2000