dma user config

Matthew Dillon dillon at apollo.backplane.com
Sun Feb 3 13:55:01 PST 2008


:Running a setuid root binary or having root starting a setuid process=20
:doesn't make much of a difference, no?
:
:cheers
:   simon

    Huge difference.  A suid-root binary is run by a user, in a context
    provided by the user.  e.g. environment variables, current directory,
    resource limits, and other things.  It's a huge security hole.

    A root process run by another root process is run in a context
    controlled by that other root process and not the user.

    It is much, much safer to start as root and drop privileages in a
    controlled environment then it is to start as a user and increase
    privileages by exec'ing a suid-root binary.

						-Matt






More information about the Kernel mailing list