Codechecker redesign updates - se module
1 view
Skip to first unread message
krishnan parthasarathi
Oct 24, 2010, 2:51:10 PM10/24/10
to codec...@googlegroups.com
Hi all,
I have modified setuid_helper to become a easy to use shared library. Most
importantly, now it is accessible from python code as well (see secexec.py for
details). What this means to us is that, earlier we use to create a new process
to run the setuid_helper from the codechecker process. Now we will call into
the shared library to run the submission in a secure manner, thereby
eliminating creation of one extra process. secexec.c is the file that contains
the 'secure_spawn' function which is the only method that is exported.
secexec.py is the python module that wraps the shared lib using ctypes.
Let me know if any clarification on this push is needed.
--
--Krishnan Parthasarathi
I have modified setuid_helper to become a easy to use shared library. Most
importantly, now it is accessible from python code as well (see secexec.py for
details). What this means to us is that, earlier we use to create a new process
to run the setuid_helper from the codechecker process. Now we will call into
the shared library to run the submission in a secure manner, thereby
eliminating creation of one extra process. secexec.c is the file that contains
the 'secure_spawn' function which is the only method that is exported.
secexec.py is the python module that wraps the shared lib using ctypes.
Let me know if any clarification on this push is needed.
--
--Krishnan Parthasarathi
krishnan parthasarathi
Nov 15, 2010, 3:13:33 PM11/15/10
to codec...@googlegroups.com
Hi all,
The setuid helper via a shared library idea is not feasible. This idea was an extension of a minor misunderstanding I had about the privileges inheritance in Unix systems. I was under the impression that when we invoke a function in a library which is setuid root file, the processes privileges would get escalated. This is *wrong*, for the following reason. The privilege of a process can be altered using file permissions of the executable, only during process creation. After creation of the process, the only way to alter the credentials of a process, is by using setuid calls.
I have reverted the se module to have a setuid helper binary as before. But I have taken this opportunity to clean up the setuid helper code and give it a new name - secexec. This functionality is now accessible via se.secexec.secure_spawn python function. The function takes arguments the same way as subprocess.Popen().
cheers,--
--Krishnan Parthasarathi
The setuid helper via a shared library idea is not feasible. This idea was an extension of a minor misunderstanding I had about the privileges inheritance in Unix systems. I was under the impression that when we invoke a function in a library which is setuid root file, the processes privileges would get escalated. This is *wrong*, for the following reason. The privilege of a process can be altered using file permissions of the executable, only during process creation. After creation of the process, the only way to alter the credentials of a process, is by using setuid calls.
I have reverted the se module to have a setuid helper binary as before. But I have taken this opportunity to clean up the setuid helper code and give it a new name - secexec. This functionality is now accessible via se.secexec.secure_spawn python function. The function takes arguments the same way as subprocess.Popen().
cheers,
--Krishnan Parthasarathi
Reply all
Reply to author
Forward
0 new messages