[Twisted-Python] tap security problem
typo at soniq.net
Wed Oct 9 21:44:45 EDT 2002
On Sat, Oct 05, 2002 at 01:53:05PM -0500, Glyph Lefkowitz wrote:
> On Sat, 5 Oct 2002 14:48:22 +0200, Paul Boehm <typo at soniq.net> wrote:
> > As uid/gid are part of the Application, a compromised application can write
> > a shutdown.tap with different uid/gids.
> Why, in a security-conscious environment, are you allowing the uid/gid that the
> server is running as to even _read_ the .tap? In any event, the .tap is
> effectively an SUID binary, and should be writable only by root.
why wouldn't i allow the uid/gid that the server is running at, to read the tap?
after all the the tap is nothing but a snapshot of the running application?
if twistd did setuid() etc. calls before loading the tap, this would yield
a definite improvement in security. e.g. chroot already is defined by twistd,
presumably because it too requires root privileges to be used.
> The whole notion of this automatic persistence is somewhat at odds with that of
> security - .tap persistence is very explicitly designed to have no security
> constraints whatsoever, but to be very convenient. If you need both
> persistence and security, then you have to design your persistence mechanism to
> constrain what can be persisted. Pickle effectively allows literal code to be
> stored and executed.
the persisted tap shouldn't allow me to do anything i couldn't do with a
hijacked application running at some uid. i don't see why i shouldn't be able
to load a tap and run it with less privileges.
as i see it, tap r/w access shouldn't be any different from application code access
in terms of severity.
More information about the Twisted-Python