[Dave Hudson <dave@humbug.demon.co.uk> writes:]
>I don't think this should cause any security risks as the no-one id doesn't
>allow anyone to do anything new - if the disabling is done correctly (as in
>login) there's no way to get back once we're running as no-one :-) The
>other nice thing about this is that we can allocate each no-one a sub-id
>that means they can't possibly mess about with each other's work.
>Have I missed anything drastic?
Denial of service attacks (create ports, consume PID's, memory, etc.).
Sending of signals. ptrace. Also, as you noted, the default read
permissions in some circumstances.
A per-syscall bitmask is also probably at least as fast as checking for a
particular ID.
I'm not sure about the technique of issuing sub-id "nobody" ID's. If they
can subvert the main "nobody" ID even once then all the benefits of doing
this are lost. A lot of its value would seem to reside on convention.
It's amusing to imagine what a process with one open file and all system
calls except exit() and msg_send() disabled. Assume he's using the
background CPU priority. He can calculate and write his results, but
nothing else.
How would you write code to break out of this? Or if not break out, how
would you most disrupt the system?
Andy
Received on Thu Mar 16 12:12:51 1995
This archive was generated by hypermail 2.1.8 : Thu Sep 22 2005 - 15:12:17 PDT