[Twisted-Python] tap security problem

Paul Boehm typo at soniq.net
Wed Oct 9 19:44:45 MDT 2002


On Sat, Oct 05, 2002 at 01:53:05PM -0500, Glyph Lefkowitz wrote:
> On Sat, 5 Oct 2002 14:48:22 +0200, Paul Boehm <typo at soniq.net> wrote:
> > As uid/gid are part of the Application, a compromised application can write
> > a shutdown.tap with different uid/gids.
> 
> Why, in a security-conscious environment, are you allowing the uid/gid that the
> server is running as to even _read_ the .tap?  In any event, the .tap is
> effectively an SUID binary, and should be writable only by root.

why wouldn't i allow the uid/gid that the server is running at, to read the tap?
after all the the tap is nothing but a snapshot of the running application?

if twistd did setuid() etc. calls before loading the tap, this would yield
a definite improvement in security. e.g. chroot already is defined by twistd,
presumably because it too requires root privileges to be used.

> The whole notion of this automatic persistence is somewhat at odds with that of
> security - .tap persistence is very explicitly designed to have no security
> constraints whatsoever, but to be very convenient.  If you need both
> persistence and security, then you have to design your persistence mechanism to
> constrain what can be persisted.  Pickle effectively allows literal code to be
> stored and executed.

the persisted tap shouldn't allow me to do anything i couldn't do with a
hijacked application running at some uid. i don't see why i shouldn't be able
to load a tap and run it with less privileges.

as i see it, tap r/w access shouldn't be any different from application code access 
in terms of severity.

  paul




More information about the Twisted-Python mailing list