o The suidgw finds /usr/lib/suidgw/$SCRIPT and checks that the current
(real) user is allowed to run it.
- o Then it switches the effective and saved UID and runs the script.
+ o Then it switches real, effective, and saved UID and runs the script.
Environment variables are sanitized (currently, the whole environment
is reset; in the future, we may propagate some variables if needed)
and so are file descriptors (we make sure that fd's 0 to 2 exist).
o The action is logged to the syslog (facility auth, level info).
+
+
+CAVEAT: We do not emulate proper POSIX real/effective/saved UID semantics,
+because when a recent Perl interpreter detects that real != effective, it
+refuses to run. Therefore we set all three UIDs and GIDs to the new effective
+user/group and record the ID's of the caller in environment variables ORIG_UID
+and ORIG_GID. Still, Linux kernel notices the UID changes and marks the task
+as undumpable, so this should be secure.
projects / suidgw.git / blobdiff